Are You Ready for the New York August 28th Compliance Deadline?  

Mintz - Privacy & Cybersecurity Viewpoints

If you are one of the many businesses licensed by the New York Department of Financial Services (DFS), and cannot avail yourself of the (very) limited exemptions, you must be ready for the first compliance transition date for the stringent DFS cybersecurity regulations – August 28, 2017.

Just in case you’d forgotten, the DFS cybersecurity regulations became effective March 1, 2017 and you can refresh your memory here.

If you are licensed by DFS and have not conducted the required risk assessment, you will be late.  The risk assessment is required periodically by the regulation (see Section 500.09 for details) (referred to as the “Risk Assessment”) and is the foundation for every other administrative and technical requirement of the regulation.

The August 28 compliance deadline applies to the following requirements:

Cybersecurity Program (Section 500.02):  Licensees are required to have a cybersecurity program in place that is designed to protect the confidentiality, integrity, and availability of the licensee’s information systems. As with other security regulations (e.g., HIPAA and Massachusetts 2017 CMR 17), the Cybersecurity Program should be developed based the Risk Assessment.

Cybersecurity Policy (Section 500.03):  The written policy must be approved by a senior officer or the entity’s governing board, must be based on the Risk Assessment, and cover 14 regulation-specific areas including data governance, systems and network security, data privacy, and incident response.

Chief Information Security Officer (CISO) (Section 500.04(a)): The regulation requires that a qualified individual be designated as the CISO.

Access Privileges (Section 500.07):  User access to information systems must be limited and privileges must be appropriate for roles.

Cybersecurity Personnel (Section 500.10):  Cybersecurity personnel must be engaged, trained, and updated on cybersecurity risks and all personnel must have regular cybersecurity awareness training based on the Risk Assessment.

Incident Response Plan (Section 500.16):  A written incident response plan (IRP) must be implemented.  The plan must be designed to promptly respond to, and recover from any security incident, and must specifically address internal processes for response, goals of the incident response plan, definition of clear roles and responsibilities, external and internal communications and information sharing, identification of requirements for remediation of identified weaknesses, documentation and reporting, and evaluation and revision (as necessary) of the IRP following a security incident.

Notice of Cybersecurity Event (Section 500.17(a)):  Notice of a security incident must be given to the DFS Superintendent as promptly as possible BUT IN NO EVENT LATER THAN 72 HOURS from a determination that a Cybersecurity Event (as defined in the regulation) has occurred, where notice is required to any other governmental or supervisory body or self-regulatory agency, or where the event has a reasonable likelihood of materially harming any part of the entity’s operations.

Note that if you intend to claim a limited exemption under Section 500.19 of the regulation, you must file Appendix B with DFS by August 28, 2017. DFS has established a web portal for licensees to make required filings.  Go to Department of Financial Services Secure Portal to create an account.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Mintz - Privacy & Cybersecurity Viewpoints | Attorney Advertising

Written by:

Mintz - Privacy & Cybersecurity Viewpoints

Mintz - Privacy & Cybersecurity Viewpoints on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.