Companies that are subject to New York’s Cybersecurity Regulation are moving quickly to finalize their compliance obligations under the Cybersecurity Regulation, as the second “due date” quickly approaches – February 15, 2018. By August 28, 2017, Covered Entities were required to have a cybersecurity program in place, as well as a board (or senior officer) approved written cybersecurity policy and Chief Information Security Officer to help protect data and systems. They also became obligated to report cybersecurity events to the NYDFS.

By February 15, 2018, Covered Entities must comply with additional obligations under the NY Cybersecurity Regulation including: implementation of a formal, written Cybersecurity Program and Cybersecurity Policy, limitations/restrictions on access privileges to information systems that provide access to nonpublic information, utilization of qualified cybersecurity personnel (internally or through qualified third party providers), designation of a new chief information security officer and development of a written Incident Response Plan. By February 15, 2018, Covered Entities must file their first annual certification of compliance with the Cybersecurity Regulations.

The NYDFS has been assisting Covered Entities with compliance questions through its frequently asked questions (“FAQs”) and answers on the NYDFS website, originally published on June 20, 2017 and updated most recently on December 12, 2017. The now 26 questions in the FAQs section address the types of entities that fall within the scope of the Cybersecurity Regulations, the notice requirements attending a Cybersecurity Event (as defined in the regulations), the annual certification requirement, and additional specific elements of the rules.

The NYDFS Cybersecurity Regulations (published at 23 NYCRR 500.01) set forth the minimum requirements for NYDFS-regulated entities to address cybersecurity risk. For background, see our report, “NYDFS issues final cybersecurity regulations, setting new industry standard for cybersecurity controls”.