As discussed in our March 1, 2017 update, the New York Department of Financial Services ("NYDFS") issued final regulations that require New York banks and insurance companies, as well as other financial services companies that are supervised by the NYDFS—including New York state-licensed branches and agencies of non-US banks—to establish and maintain a cybersecurity program designed to protect consumers’ private data and ensure the safety and soundness of New York’s financial services industry ("Cybersecurity Regulations"). The Cybersecurity Regulations are contained in new Part 500 of Title 23 of the Official Compilation of Codes, Rules and Regulations of the State of New York, 23 NYCRR 500, and are available here.
The Cybersecurity Regulations took effect on March 1, 2017, but are subject to a 180-day transitional period (i.e., until August 28, 2017) for general compliance. Additional transitional periods are provided for specific provisions of the Cybersecurity Regulations. Covered Entities (defined below) will be required annually to prepare and submit to the NYDFS Superintendent a Certification of Compliance with the Cybersecurity Regulations commencing February 15, 2018.
In recognition of the growing nature of cyberthreats facing US financial institutions, including those supervised by the NYDFS, the NYDFS issued the Cybersecurity Regulations to promote the protection of customer information as well as the information technology systems of supervised entities.
In general, the regulations require supervised entities to assess their specific risk profile and design a program that addresses cybersecurity risks in a robust fashion. As detailed more fully in our March 1 update, the Cybersecurity Regulations impose certain regulatory minimum standards aimed at helping institutions to prevent and avoid cyber breaches. Such minimum standards include:
- Controls relating to the governance framework for a robust cybersecurity program including requirements for a program that is adequately funded and staffed, overseen by qualified management, and reported on periodically to the most senior governing body of the organization;
- Risk-based minimum standards for technology systems including access controls, data protection including encryption, and penetration testing, to be achieved under a risk assessment which, as stated by NYDFS, is not intended to permit a cost-benefit analysis of acceptable losses where an institution is faced with cybersecurity risks;
- Required minimum standards to help address any cyber breaches including an incident response plan, preservation of data to respond to such breaches, and notice to the NYDFS of material events; and
- Accountability by requiring identification and documentation of material deficiencies, remediation plans and annual certifications of regulatory compliance to the NYDFS.