March 1, 2018 will mark one year since the effective date of the New York Department of Financial Services’ (“NYDFS”) cybersecurity regulations, which may signal a trend towards stricter industry-specific regulatory oversight of companies’ cybersecurity practices. The new regulations—which broadly apply to entities subject to New York banking, insurance and financial services laws (“Covered Entities”)—impose certain minimum requirements for cybersecurity practices, including, among other things: (i) maintenance of a comprehensive cybersecurity program and corresponding written policies and procedures, including a detailed incident response plan; (ii) designation of a senior officer to implement and oversee the entity’s cybersecurity program and policies; (iii) periodic risk assessments and penetration testing; (iv) requirements to notify the NYDFS promptly after discovering a security incident; and (v) annual certification by the board of directors or a senior officer of compliance with the regulations.
Importantly, while the NYDFS regulations provide several transition periods for compliance, Covered Entities must submit their first annual certification of compliance by February 15, 2018, and must complete implementation of other required practices, such as a cyber risk assessment and use of multi-factor authentication, by March 1, 2018. In light of the looming compliance deadlines, companies should assess their directors and officers (“D&O”) policies and cyber / data privacy insurance policies now to ensure they provide adequate protection in the event a data breach triggers an expensive NYDFS regulatory investigation or enforcement proceeding.
Please see full Alert below for more information.