Given the alarming regularity with which data breaches are occurring in the United States [1] and the flagging efforts of the federal government to provide any consistency in this area, it should come as no surprise that individual states are looking to fill the gap when it comes to regulating cybersecurity. The first foray into comprehensive state regulation of business data protection practices, and arguably the most stringent, is New York’s Cybersecurity Requirements for Financial Services Companies, to be found at 23 NYCRR 500.

Who must comply? Any individual or non-governmental entity that commercially provides insurance or banking/financial services to New York residents is likely covered by these regulations.

What information needs to be protected? Most personally identifiable health or financial information and any business-related information that would materially impact the business, operations or security of the covered entity if it was lost, stolen, destroyed or altered.

What are some of the key requirements?

  • The CISO and Cybersecurity Personnel – Each covered entity must appoint a Chief Information Security Officer (CISO) who bears the primary (but not the sole) responsibility for implementing the covered entity’s cybersecurity program and enforcing its cybersecurity policies. The covered entity must also hire additional qualified cybersecurity personnel to manage cybersecurity risks and oversee the core functions of the cybersecurity program.
  • Application Security – Internally created software applications must be developed using secure development practices, and external applications must be properly evaluated, assessed and tested before use.
  • Testing – Covered entities must routinely test the effectiveness of their cybersecurity program, including continuous monitoring or periodic penetration testing and vulnerability assessments.
  • Third-Party Service Providers – Covered Entities must develop policies to assess, evaluate and test the cybersecurity of any other entity, such as cloud service providers, that has access to the covered entity’s information systems.
  • Training and Monitoring – The cybersecurity program must implement policies designed to monitor user activity and detect unauthorized access and provide regular cybersecurity awareness training for all personnel.
  • Incident Response Plan – Each covered entity must establish a written incident response plan that is designed to promptly respond to and recover from any cybersecurity event that threatens its information systems.

While these regulations went into effect on March 1, 2017, covered entities have a bit more time to ensure compliance – anywhere from six months to two years depending upon the particular compliance requirement. However, if your company is subject to these regulations (and frankly, even if it is not), preparing for compliance should become a top and immediate priority. It will not only keep you in the good graces of state regulators, but also show your company’s firm commitment to protecting your customers’ confidential information.