New cybersecurity-related regulations issued by New York state regulators took effect March 1, 2017. The rules, which directly impact all entities regulated by the New York Department of Financial Services (such as insurers, mortgage lenders, some investment companies and many banks, among others) will inevitably affect compliance programs at financial institutions nationwide.

Broadly speaking, the regulation can be parsed into three categories of compliance requirements:

  • Management/Policy Requirements – e.g., hiring or appointing a chief information security officer, training staff in data security and privacy procedures, and maintaining policies that cover the institution and its third-party service vendors;
  • Operational/Technical Requirements – e.g., performing periodic penetration testing, implementing multifactor authentication systems and the like; and
  • Reporting Requirements – e.g., reporting certain security incidents to the NYDFS

The rule also has a complex (though helpful) feature that allows larger institutions to leverage their affiliates’ cybersecurity work to create efficiencies in their compliance programs.

Although effective March 1, 2017, the first real compliance deadline does not occur until August, with remaining deadlines arising on a rolling basis through 2019.