Deadline to Comply with New York's Cybersecurity Regulation Is Approaching

Mauricio Paez, Kerianne Tobitsch
Jones Day
Contact
LinkedIn
Facebook
X
Send
Embed

Jones Day

For entities regulated by the New York Department of Financial Services, the deadline for complying with the new Cybersecurity Requirements for Financial Services Companies, 23 NYCRR Part 500, is Monday, August 28, 2017. To assist, the Department recently updated its Frequently Asked Questions Regarding 23 NYCRR Part 500.

In short, and subject to certain exemptions, the Regulation generally applies to entities required to operate with a license or other formal authorization under New York's Banking Law, Insurance Law, or Financial Services Law. Among other things, the Regulation requires covered entities to:

  • Maintain a cybersecurity program, conduct periodic risk assessments, maintain written policies and procedures to protect information systems and nonpublic information, ensure the security of information handled by third parties, designate a Chief Information Security Officer, and conduct training and monitoring.
  • Employ certain technical measures—namely, penetration testing and vulnerability assessments, limitations on access privileges, multifactor authentication, encryption of nonpublic information at rest and in transit over external networks, and limitations on data retention.
  • Develop an incident response plan.
  • Notify the Superintendent of Financial Services within 72 hours of determining that a cybersecurity event occurred, and maintain an audit trail designed to detect and respond to such events. The Regulation defines a "cybersecurity event" as any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt, or misuse an information system or electronically stored nonpublic information.

Additionally, directors and/or senior officials must certify that they have reviewed reports and other documentation and that the covered entity's cybersecurity program complies with the Regulation. Although the Regulation does not specify penalties for noncompliance, it may be enforced under any applicable laws, including New York's banking, insurance, or financial services laws that contain civil and criminal penalties.

The Colorado Division of Securities has adopted similar rules, and other states may follow.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Jones Day | Attorney Advertising

Written by:

Jones Day
Jones Day
Contact
more
less

Jones Day on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide