New York State adopted what it claimed was the “first-in-the-nation” regulation that requires commercial banks, insurance companies and other financial services entities regulated by the NY Department of Financial Services to implement and maintain a cybersecurity program designed to protect consumers’ private information and the entities’ own information technology systems (click here for a list of institutions regulated by the NYDFS). Among other things, each covered entity’s cybersecurity program should be based on its own risk assessment and be designed to (1) identify and evaluate internal and external cybersecurity threats that might threaten to compromise nonpublic information stored on the entity’s information system; (2) protect the entity’s information system and nonpublic data from unauthorized access through the use of “defensive infrastructure”; (3) detect cybersecurity breaches; (4) respond to cybersecurity breaches to minimize any adverse impact; (5) recover from cybersecurity attacks and resume normal operations; and (6) satisfy all regulatory reporting requirements. Covered entities are also required to appoint a chief information security officer; conduct continuous monitoring or periodic penetration testing and vulnerability assessments; and provide regular cybersecurity training to staff, among other obligations. Covered entities must submit a certification to the NYDFS Superintendent by February 15 of each year that they are in compliance with all requirements of New York’s cybersecurity regulation. Smaller entities may be exempt from certain of the state’s requirements. The new regulation will be effective March 1, 2017; however, the compliance dates for certain provisions are delayed for up to two years.
Compliance Weeds: All members of the National Futures Association have been required to implement and enforce written policies regarding cybersecurity since March 1, 2016. These policies must be “reasonably designed to diligently supervise the risks of unauthorized access to or attack of their information technology systems, and to respond appropriately should unauthorized access or attack occur.” The requirements do not impose one-size-fits-all obligations on members, but instead permit members to adopt procedures relevant to the type, size and complexity of their business. (Click here for details regarding the NFA’s requirements in the article “NFA Proposes Cybersecurity Guidance” in the November 13, 2015 edition of Bridging the Week.)