Banks, insurance companies and other financial institutions have only a few days left to comply with the first wave of requirements under New York’s controversial new cybersecurity regulation.

On March 1, 2017, the New York State Department of Financial Services enacted the regulation, “Cybersecurity Requirements for Financial Services Companies,” which set a new standard for state data security compliance. The regulation imposes detailed requirements on financial firms including an annual attestation by the board or a senior corporate officer that their institution passes muster under the regulation.

By August 28th, financial firms are required do the following:

  • Designate a Chief Information Security Officer responsible for overseeing, implementing, and enforcing the institution’s Cybersecurity Policy;

  • Put in place a risk-based Cybersecurity Program “designed to protect the confidentiality, integrity and availability” of an institution’s information systems;

  • Implement a Cybersecurity Policy setting forth “policies and procedures” for the protection of the organization’s network and sensitive information;

  • The board of directors or a senior officer must approve the Cybersecurity Policy;

  • User privileges must be limited on information systems that provide access to nonpublic information;

  • “Qualified cybersecurity personnel” must be used to “perform or oversee” core cybersecurity functions; and

  • A “written incident response plan” must be in place to enable the institution to respond to a data security event.

This initial set of requirements are just the beginning. Over the next 18 months, firms are required to implement additional safeguards – ranging from multi-factor authentication to risk-based user policies.

Next week, we’ll take a look at the New York requirements that are on the horizon.