The eighteen month transitional period under the New York Department of Financial Services (NYDFS) Cybersecurity Requirements for Financial Services Companies expires on September 4, 2018. These requirements apply to entities, “operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.” In less than a month, these Covered Entities subject to Part 500 are required to be in compliance with the requirements of sections 500.06, 500.08, 500.13, 500.14(a) and 500.15 of 23 NYCRR Part 500.
These requirements include:
- Implement and maintain audit trail requirements (500.06);
- Adopt written application security requirements (500.08);
- Adopt written data retention requirements (500.13);
- Implement monitoring/unauthorized access requirements (Section 500.14(a)); and
- Implement encryption requirements (500.15).
The final compliance deadline is March 1, 2019. In addition to those aforementioned Covered Entities, credit reporting agencies with significant operations in New York were recently required to comply with the cybersecurity regulations.