New York Department of Financial Service Phases in CyberSecurity Rules

• Posted on: Mar 12 2017

The New York Department of Financial Services’ (“DFS”) cybersecurity regulations became effective March 1, 2017, but the rules are slated to be phased in on a rolling basis 180 days after the effective date. The rules apply to financial institutions, financial services companies, insurance firms and other entities regulated by the DFS (“Covered Entities”). 

The rules require Covered Entities to establish and maintain cybersecurity programs in order to identify internal and external cyber risks and detect Cybersecurity Events, defined as “any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt, or misuse an information system or information stored on such a system…that has a reasonable likelihood of materially harming any material part of the normal operations.”

What are the responsibilities of Covered Entities?

Under the rules, Covered Entities must develop defensive infrastructure to protect their information systems and prevent the unauthorized access or use of nonpublic information stored on these systems. In addition, Covered Entities must implement policies and procedures and employee training to achieve these objectives.

Covered Entities also must have a system in place to respond to cybersecurity events, mitigate adverse effects and recover from these events. There is also a strict reporting requirement that requires the DFS to be notified of an event within 72 hours of the occurrence.

Beyond developing defensive capabilities, Covered Entities must be proactive and conduct periodic penetration testing and vulnerability assessments. They are also required to maintain records of internal audits, which must be available for inspection by the DFS. The DFS cybersecurity rules have additional requirements, including:

• Encryption of nonpublic information
• Establishing a third-party service provider’s security policy
• Data retention and monitoring procedures
• Establishment of an incident response plan

Finally, the rules mandate the identification of a Chief Information Security Officer (“CISO”) to oversee and implement the cybersecurity program. The CISCO is required to report to the board of directors about the program. Thereafter, Covered Entities must submit a certification to the DFS that the board or a senior official reviewed the report and that the cybersecurity program complies with the rules.

In the end, while there is a 180 day grace period and the rule is being phased in on a rolling basis, the transition periods are short, therefore it is crucial to take measures now to ensure compliance with the DFS cybersecurity rules.

Tagged with: Business Law