On Feb. 16, 2017, the New York State Department of Financial Services (“NYDFS”) issued its final regulation imposing new, rigorous cybersecurity requirements on banks, consumer lenders, money transmitters, insurance companies and certain other financial service providers (each, a “Covered Entity”) regulated by the NYDFS (the “Final Cybersecurity Rule”).[1] It will take effect on March 1, 2017.

The Final Cybersecurity Rule is nearly identical in all material respects to the NYDFS’s revised proposal that was issued on Dec. 28, 2016 (which was revised from an earlier draft issued on Sept. 13, 2016).[2] Thus, as we have discussed in our prior Alerts, in many ways the Final Cybersecurity Rule exceeds what other regulators have suggested, much less required, with regard to cybersecurity.[3] Further, given the scope and footprint of many New York financial institutions, the Final Cybersecurity Rule will likely have an impact far beyond the state of New York.

  • Covered Entities have until March 1, 2018 to comply with:
    • The reporting obligations of the Chief Information Security Officer;
    • The requirement to conduct periodic risk assessments;
    • Any requirement to conduct annual penetration testing and bi-annual vulnerability assessments;
    • Any requirement to implement multifactor authentication or risk-based authentication; and
    • The obligation to provide regular up-to-date cybersecurity awareness training for all personnel.
  • Covered Entities have until Sept. 1, 2018 to comply with:
    • Any requirement to maintain audit trail systems;
    • The requirements to implement:
      • Written procedures, guidelines and standards on application security;
      • Policies and procedures for the secure disposal of “Nonpublic Information”; and
      • Policies, procedures and controls to monitor authorized users; and
    • Any requirement to encrypt Nonpublic Information.
  • Finally, Covered Entities have until March 1, 2019 to comply with the requirement to implement written policies and procedures regarding the security of systems and information accessible to, or held by, third-party service providers.