On February 16, 2017, the New York Department of Financial Institutions (“DFS“) promulgated a regulation that requires “Covered Entities” to establish and maintain a cybersecurity program designed to protect consumers and the financial services industry itself (the “Regulation“). Report.
A “Covered Entity” means any individual or any nongovernment entity that operates under or is required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the New York State Banking Law, Insurance Law or Financial Services Law. Accordingly, Covered Entities include, among others, New York branches and representative offices of foreign banks, but do not include “investment advisers” and “broker-dealers.”
The Regulation is risk-based and includes regulatory minimum standards and encourages Covered Entities to keep pace with technological advances. The Regulation specifically provides protections to prevent and avoid cyber breaches, including:
Controls relating to the governance framework for a cybersecurity program, including requirements for a program that is adequately funded and staffed, overseen by qualified management and reported on periodically to the most senior governing body of the organization;
Risk-based minimum standards for technology systems, including access controls, data protection including encryption and penetration testing;
Required minimum standards to help address any cyber breaches, including an incident response plan, preservation of data to respond to such breaches and notice to DFS of material events; and
Accountability by requiring identification and documentation of material deficiencies, remediation plans and annual certifications of regulatory compliance to DFS.
Of particular relevance to global, diversified financial institutions, (i) a Covered Entity may meet the requirements of the Regulation by adopting the relevant and applicable provisions of a cybersecurity program maintained by an affiliate, provided that such provisions satisfy the requirements of the Regulation, applicable to the Covered Entity; and (ii) each Covered Entity must implement written policies and procedures designed to ensure the security of information systems and nonpublic information that are accessible to, or held by, third-party service providers.
The Regulation will be become effective on March 1, 2017. Covered Entities will be required to annually prepare and submit to the Superintendent of Financial Services a “Certification of Compliance with New York State Department of Financial Services Cybersecurity Regulations” commencing February 15, 2018.
The Regulation provides that, generally, Covered Entities shall have 180 days from March 1, 2017 to comply with the Regulation. However, certain provisions include additional transitional periods: (i) one year from March 1 to comply with the requirements that, among others, (x) the Chief Information Security Officer report in writing at least annually to the Covered Entity’s board of directors or equivalent governing body, (y) the Covered Entity conduct a risk assessment of its information systems and (z) the Covered Entity provide regular cybersecurity awareness training for all personnel; (ii) 18 months from March 1 to implement risk-based policies, procedures and controls designed to monitor the activity of authorized users of the Covered Entity’s information systems and data and to detect unauthorized access or use of, or tampering with, nonpublic information by such authorized users; and (iii) two years to comply with the requirement to implement written policies and procedures designed to ensure the security of the information systems and nonpublic information of the Covered Entity that is accessible to, or held by, third‑party service providers.