The New York Department of Financial Services’ (DFS) cybersecurity regulations took effect March 1—is your entity in compliance?

What happened

The “Cybersecurity Requirements for Financial Services Companies” were initially proposed last September by the DFS with a modified proposal released in late December based on comments and testimony.

The first-in-the-nation regulations for banks, insurance companies and other financial services institutions under DFS jurisdiction require covered entities to assess their specific risk profile and design a program that will “ensure the confidentiality, integrity and availability” of the entity’s information systems and “nonpublic information,” including any business-related information, information provided to a covered entity, healthcare information, and personally identifiable information.

In addition, covered entities must establish a written cybersecurity policy covering topics ranging from business continuity and disaster recovery planning to physical security and environmental controls to the designation of a Chief Information Security Officer (CISO), with that officer or another member of senior management obligated to file an annual certification with the DFS that confirms compliance with the regulations.

Changes made to the initial proposal included additional or modified definitions (for terms such as “Third-Party Service Provider” and “Nonpublic Information”) and an explanation that certain items in the required cybersecurity policy were not black-and-white mandates, but should be based on the institution’s risk assessment (such as the use of multi-factor authentication for employees accessing internal databases).

The modified proposal also featured clarifications about the CISO position, which does not have to be a new hire or an individual dedicated solely to CISO activities, the DFS said. The officer can even be employed by an affiliate of the covered entity or by a service provider.

Other requirements established by the regulation: a “periodic” risk assessment and an obligation to maintain audit trails for cybersecurity events “that have a reasonable likelihood of materially harming any material part of the normal operations.” DFS also established limited exemptions. For example, the regulation does not apply to “small” covered entities—defined as those with less than ten employees and independent contractors, less than $5 million in gross annual revenue in each of the last three years, or less than $10 million in year-end assets—as well as covered entities that do not “control, generate, or receive nonpublic information.”

“New York is the financial capital of the world, and it is critical that we do everything in our power to protect consumers and the financial system from the ever increasing threat of cyber-attacks,” Governor Andrew Cuomo said as the regulation took effect. The regulation “will help ensure this industry has the necessary safeguards in place in order to protect themselves and the New Yorkers they serve from the serious economic harm caused by these devastating cyber-crimes.”

To read the NYDFS regulation, click here.

Why it matters

The final regulation is risk-based and establishes “regulatory minimum standards while encouraging firms to keep pace with technological advances,” the DFS said in a statement. Covered entities should carefully review the regulation to ensure compliance now that the effective date has passed.