With cyber intrusions becoming more common and sophisticated, the New York State Department of Financial Services (DFS) has implemented a new, “first-in-the-nation” cybersecurity regulation to combat these ever-increasing dangers, which went into effect on March 1, 2017. The new regulation will require banks, insurance companies and other financial services institutions regulated by the DFS to establish and maintain cybersecurity programs designed to safeguard consumers’ sensitive information and ensure industry safety by implementing vigorous controls to detect, thwart and report cyber incidents. Essentially, almost any entity that operates under a license, registration, charter, certificate, permit, accreditation or similar authorization under the banking, insurance and financial services laws of the state of New York is covered by the regulation, with only a few exemptions. However, even exempted entities must file a certificate of exemption with the DFS within 30 days.
The impact of the new regulation will have far-reaching effects, felt beyond the state of New York, and likely becoming the baseline standard for the industry as more states are sure to follow suit. Not only will the regulation effect the covered entities, but also the numerous service providers of those entities. Even if a company has the most sophisticated cybersecurity protections in the industry, if its third-party service providers have weak systems or controls, those protections will be ineffective. Therefore, cybersecurity programs must remain dynamic to keep pace with technological advances in this fast-changing landscape. Among other things, the regulation requires covered entities to:
- Conduct periodic risk assessments;
- Maintain a cybersecurity program based on the risk assessment;
- Implement written cybersecurity policies;
- Comply with governance and staffing requirements, including appointment of a Chief Information Security Officer by August 2017;
- Limit user access privileges;
- Install a vendor risk-management program, policies and procedures;
- Destroy nonpublic information periodically and securely;
- Establish a written incident-response plan;
- Provide regular cybersecurity awareness training; and
- Notify the DFS of any breaches within 72 hours.
Although the regulation has already gone into effect, it includes transition periods of between one and two years for most requirements. However, even with the staggered compliance dates full compliance with such an expansive regulation will be challenging. With cybersecurity threats growing and becoming more dangerous, companies can no longer sit back and assume “it will never happen to me.”