Cybersecurity requirements to protect the financial services industry and consumers from cyberattacks go into effect in New York State on March 1. The mandates, which Governor Andrew Cuomo is touting as the first in the nation, require certain banks, insurance companies and other financial services providers that are regulated by the New York Department of Financial Services (NYDFS) to develop and maintain a cybersecurity program.
“Given the seriousness of the issue and the risk to all regulated entities, certain regulatory minimum standards are warranted, while not being overly prescriptive so that cybersecurity programs can match the relevant risks and keep pace with technological advances,” according to the regulations. The rules are “designed to promote the protection of customer information as well as the [IT] systems of regulated entities.” The rules require companies to assess their specific “risk profile,” design a program that addresses its risks and file an annual certification confirming compliance with the regulations, among other directives.
The regulations require companies to maintain minimal security standards, including requirements for a cybersecurity program properly funded, staffed and overseen by qualified management; risk-based standards for technology systems, including access controls, data protection with encryption and penetration testing; policies to address cyber breaches, including an incident response plan, preservation of data and NYDFS notification; and identification and documentation of material deficiencies, remediation plans and annual certifications of regulatory compliance to the NYDFS.
Although the rules are effective March 1, there is a transition period for certain requirements. Some companies are exempt from portions of the regulations, such as companies that have fewer than 10 employees, less than $5 million in gross annual revenue in each of the last three fiscal years from New York business operations or less than $10 million in year-end total assets.
The NYDFS in January extended the compliance deadline to March 1 to provide the state’s financial businesses with more time to comply. The regulations were updated in December following a comment period in which approximately 150 comments were submitted after proposed regulations were published in September 2016. The NYDFS said the suggestions “deemed appropriate” were included in the final regulation.
- New York Offers Some Wiggle Room on Cybersecurity Rule
- N.Y. Cybersecurity Proposal Could Be Template for Other Regulators
- NYDFS Slaps Mega Bank with Mega Fine over AML Lapses