For entities regulated by the New York Department of Financial Services, the deadline for complying with the new Cybersecurity Requirements for Financial Services Companies, 23 NYCRR Part 500, is Monday, August 28, 2017. To assist, the Department recently updated its Frequently Asked Questions Regarding 23 NYCRR Part 500.
In short, and subject to certain exemptions, the Regulation generally applies to entities required to operate with a license or other formal authorization under New York's Banking Law, Insurance Law, or Financial Services Law. Among other things, the Regulation requires covered entities to:
- Maintain a cybersecurity program, conduct periodic risk assessments, maintain written policies and procedures to protect information systems and nonpublic information, ensure the security of information handled by third parties, designate a Chief Information Security Officer, and conduct training and monitoring.
- Employ certain technical measures—namely, penetration testing and vulnerability assessments, limitations on access privileges, multifactor authentication, encryption of nonpublic information at rest and in transit over external networks, and limitations on data retention.
- Develop an incident response plan.
- Notify the Superintendent of Financial Services within 72 hours of determining that a cybersecurity event occurred, and maintain an audit trail designed to detect and respond to such events. The Regulation defines a "cybersecurity event" as any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt, or misuse an information system or electronically stored nonpublic information.
Additionally, directors and/or senior officials must certify that they have reviewed reports and other documentation and that the covered entity's cybersecurity program complies with the Regulation. Although the Regulation does not specify penalties for noncompliance, it may be enforced under any applicable laws, including New York's banking, insurance, or financial services laws that contain civil and criminal penalties.
The Colorado Division of Securities has adopted similar rules, and other states may follow.