In September 2016, the New York Department of Financial Services (“DFS”) introduced the first draft of its cybersecurity regulation, which is now in a position to lead a new trend in industry-specific cybersecurity regulation. The regulation contains detailed and demanding requirements that require increased executive and senior management participation in cybersecurity, comprehensive risk analyses, written policies and procedures, specific technical safeguards, and annual compliance certifications for companies in the financial services industry. The regulation became effective as of March 1 of this year and provides various transition periods, including 180 days to comply with core requirements, one year to implement risk vulnerability testing, eighteen months to implement application security and encryption policies, and two years to contractually require service providers to maintain adequate cybersecurity policies. On August 28, 2017, the first transition period ends and covered entities will be required to comply with several of the regulation’s exacting requirements. Here is what in-house counsel should know about the first transition period.

Does My Company Need to Comply With the Regulation? -

Generally, covered entities under the cybersecurity regulation include all individuals and entities directly supervised by DFS and may include those entities’ service providers. Certain smaller entities may qualify for a limited exemption, but in order to be exempted, those entities must submit a Notice of Exemption on or before September 27, 2017. Exempt entities, which are generally small businesses, remain subject to the regulation’s core requirements described below.