The New York State Department of Financial Services (NYDFS) Cybersecurity Regulation (23 NYCRR Part 500) came into effect March 1, 2017 (see our previous publications: “New York Department of Financial Services Cybersecurity rules revised and delayed,” “The ‘Final Final’ Is Here: NYDFS Cybersecurity Regulations,” and “A guide to NYDFS Cybersecurity Regulation’s March 1 implementation deadline”). Various provisions under the regulations have been implemented on a staggered implementation timeline since that date.

As of Tuesday, September 4, 2018, covered entities are required to be in compliance with additional requirements relating to:

  • Audit Trail (Section 500.06);
  • Application Security (Section 500.08);
  • Limitations on Data Retention (Section 500.13);
  • Monitoring of Authorized Users (Section 500.14(a)); and
  • Encryption of Non-public Information (Section 500.15).

As you finalize your organization’s preparations for compliance, we have highlighted below key aspects of these obligations that come into effect on September 4. In addition to this overview, you may also find the NYDFS’s Frequently Asked Questions a helpful resource in your preparation for this next implementation deadline.

Audit Trail (Section 500.06)

Covered Entities must securely maintain systems that: (1) are designed to reconstruct material financial transactions sufficient to support normal operations and obligations of the Covered Entity; and (2) include audit trails designed to detect and respond to cybersecurity events that have a reasonable likelihood of materially harming any material part of the normal operations of the Covered Entity. Covered Entities must maintain the records required by these obligations for five years and three years respectively.

Application Security (Section 500.08)

Each Covered Entity must adopt written procedures, guidelines and standards designed to ensure the use of secure development practices for in-house developed applications utilized by the Covered Entity. In addition, Covered Entities must implement procedures for evaluating, assessing or testing the security of externally developed applications utilized by the Covered Entity within the context of the Covered Entity’s technology environment. The Chief Information Security Officer (CISO) (or qualified designee) must periodically review, assess and update these procedures, guidelines and standards as necessary.

Limitations on Data Retention (500.13)

Covered Entities must implement policies and procedures for the secure disposal of nonpublic information that is no longer necessary for business operations or for other legitimate business purposes of the Covered Entity. An exception applies where such information is otherwise required to be retained by law or regulation, or where targeted disposal is not reasonably feasible due to the manner in which the information is maintained.

Monitoring of Authorized Users (Section 500.14(a))

Covered Entities must implement risk-based policies, procedures and controls designed to monitor the activity of authorized users and detect their unauthorized access or use of, or tampering with, nonpublic information.

Encryption of Nonpublic Information (Section 500.15)

Covered Entities must implement controls, including encryption, to protect nonpublic information held or transmitted by the Covered Entity both in transit over external networks and at rest. Where a Covered Entity determines that encryption of such nonpublic information is infeasible, it may instead secure such information using effective alternative compensating controls reviewed and approved by its CISO. To the extent a Covered Entity is utilizing such compensating controls, the feasibility of encryption and effectiveness of the compensating controls shall be reviewed by the CISO at least annually.

Final Implementation date March 1, 2019

The final implementation date for NYDFS Cybersecurity Regulation is March 1, 2019. As of that date, Covered Entities that utilize third party service providers must adopt written policies and procedures that are based on a risk assessment and designed to ensure the security of information systems and nonpublic information that are accessible to third party service providers as specified in Section 500.11.