The New York State Department of Financial Services (“DFS”) Cybersecurity Regulation (“Regulation”) took effect on March 1, 2017, and applies to those operating or required to operate under New York banking, insurance and finance laws (“Covered Entities”). Covered Entities should have been in compliance with portions of the Regulation as of August 28, 2017. The next deadline under the Regulation is rapidly approaching and Covered Entities are required to submit their first certification of compliance with the Regulation on or prior to February 15, 2018.

In short, the Regulation applies to those regulated, operating or licensed under New York banking, insurance and finance laws. The Regulation is based primarily upon an organization’s risk assessment. It broadly defines Nonpublic Information (“NPI”) to include a mix of protected health information, personally identifiable information and material business information.

Key Dates

Below is a summary of the key dates under the Regulation. Some of these dates have already passed and others are quickly approaching. Capitalized terms are defined in the Regulation.

August 28, 2017

By August 28, 2017, Covered Entities were to have the following in place:

A. Cybersecurity Program based upon a risk assessment and addressing cybersecurity risks, procedures to protect NPI, detection of and response to cybersecurity events, and access privileges.

B. Cybersecurity Policy that addresses, where applicable:

(1) information security;

(2) data governance and classification;

(3) asset inventory and device management;

(4) access controls and identity management;

(5) business continuity and disaster recovery planning and resources;

(6) systems operations and availability concerns;

(7) systems and network security;

(8) systems and network monitoring;

(9) systems and application development and quality assurance;

(10) physical security and environmental controls;

(11) customer data privacy;

(12) vendor and Third Party Service Provider management;

(13) risk assessment; and

(14) incident response.

C. Chief Information Security Officer (CISO) who will report to the Board, oversee the cybersecurity program and enforce the cybersecurity policy.

D.Cybersecurity Training and use of qualified cybersecurity personnel and vendors.

E. Incident Response Plan. The Regulation also requires notice to the DFS Superintendent within 72 hours from a determination that a “Cybersecurity Event” has occurred that requires notice under the law or “has a reasonable likelihood of materially harming any material part of the normal operation(s) of the Covered Entity.”

February 15, 2018

A. Certification of Compliance with the Regulation to the DFS Superintendent. A Covered Entity is required to maintain records, schedules and data that supports the certification.

March 1, 2018

A. CISO Report to the board of directors or equivalent governing body addressing NPI, cybersecurity policies and procedures, material cybersecurity risks, overall effectiveness of the cybersecurity program, and material Cybersecurity Events.

B. Annual Penetration Test/Bi-Annual Vulnerability Assessments. Alternatively, Covered Entities should conduct continuous monitoring to detect changes or activities within their Information Systems that may create or indicate the existence of cybersecurity vulnerabilities or malicious activity.

C. Risk Assessment. Periodic risk assessments should address the criteria for the evaluation of cybersecurity risks as it concerns the Covered Entity’s Information Systems and NPI, as well as how risks will be mitigated or accepted.

D. Multi-Factor Authentication, where necessary based upon risk assessment. However, multi-factor authentication shall be utilized for any individual accessing a Covered Entity’s internal networks from an external network, unless the CISO has approved otherwise in writing.

E. Continued Cybersecurity Training and Monitoring.

September 3, 2018

A. Audit Trail providing the ability to reconstruct material financial transactions sufficient to support normal operations and obligations of the Covered Entity (retained for at least five years). Audit trails are also to detect and respond to Cybersecurity Events that have a reasonable likelihood of materially harming any material part of the normal operations of the Covered Entity (retained for at least three years). 

B. Application Security policies and procedures for the secure creation of in-house developed applications and procedures for assessing the security of externally developed applications.

C. Limitations on Data Retention as set forth in policies and procedures, including steps for the secure, periodic disposal of any NPI that is no longer necessary for business operations or for other legitimate business purposes of the Covered Entity, except when retaining such information is otherwise required by law or regulation, or where targeted disposal is not reasonably feasible due to the manner in which the information is maintained.

D.Continued Cybersecurity Training and Monitoring.

E. Encryption of NPI in transit over external networks and at rest, unless infeasible and an alternative compensating control is reviewed and approved by the CISO.

February 15, 2019

A. Certification to the DFS Superintendent.

March 1, 2019

A. Third Party Service Provider Security Policy addressing third-party vendor’s handling of NPI and assessment of such providers.

February 15 of Each Year Thereafter

A. Certification to the DFS Superintendent.