Beware the Ides of March – Is Your NYDFS Cybersecurity Compliance in Order?

Jonathan Forman, Eulonda Skyles
BakerHostetler
Contact
LinkedIn
Facebook
X
Send
Embed

March is now here and with it the Cybersecurity Regulation of the New York Department of Financial Services (NYDFS) is now in full force and effect, including requirements relating to Third Party Service Providers[1] (e.g., vendors, suppliers, agents). To comply with the regulation, banks, insurance companies, and other financial institutions and individuals who are, or should be, licensed with NYDFS (Covered Entities) were required to address substantial data security compliance requirements over the past two years (detailed in our February 2017 and July 2017 posts). The March 1 deadline marked the end of the last transitional period for the regulation, and perhaps a new period marked by its enforcement.

Because of its onerous nature, NYDFS gave Covered Entities a two-year transitional period to address the Third Party Service Provider provision. Now that it is in effect, Covered Entities (including those qualifying for limited exemptions under Section 500.19(a), (c), or (d)) must have written policies and procedures to address the risks associated with Third Party Service Providers’ access to Nonpublic Information or Information Systems.

Among other things, this provision requires Covered Entities to:

  • Identify Third Party Service Providers that access their Nonpublic Information or Information Systems;
  • Periodically assess the risks posed by their access;
  • Establish minimum cybersecurity practices required of Third Party Service Providers, including with respect to encryption, access controls (e.g., multi-factor authentication), and contractual protections (e.g., representations and warranties as well as notice provisions); and
  • Develop due diligence processes to evaluate the cybersecurity practices of Third Party Service Providers.

Although this provision went into effect after this year’s February 15 compliance certification, it still applies now. Given this, Covered Entities should have well-developed written policies and procedures to protect against the cybersecurity risks posed by their Third Party Service Providers. Such policies and procedures not only will guard against data breaches but also will help Covered Entities avoid protracted NYDFS examinations and costly enforcement actions. We will continue to monitor the Cybersecurity Regulation’s FAQs and other developments to identify additional guidance on this untested regulation.

[1] All terms not otherwise defined in this post have the meaning provided to them in the Cybersecurity Regulation.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© BakerHostetler | Attorney Advertising

Written by:

BakerHostetler
BakerHostetler
Contact
more
less

BakerHostetler on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide