As of March 1, 2017, New York financial institutions subject to the oversight of the New York Department of Financial Services (“DFS”) are required to comply with a new cybersecurity regulatory scheme. Compliance deadlines for certain measures are coming as early as August 28, 2017. Affected financial institutions should take action now to ensure timely compliance.
Following months of public comments and revisions, DFS’ new cybersecurity regulations, 23 NYCRR §§ 500.00-500.23, went into effect on March 1, 2017.1 Entitled “Cybersecurity Requirements For Financial Services Companies,” these “first-in-the-nation”2 cybersecurity rules are “designed to promote the protection of customer information as well as the information technology systems of regulated entities.” In short, the regulations require New York financial institutions subject to the oversight of DFS (“Covered Entities”) to adopt a robust cybersecurity program and policy, and the first compliance deadline is coming this summer. Failure to comply with the new regulations may result in fines or other civil penalties. Here are the specific deadlines for the new measures that you need to be aware of:
August 28, 2017: 180-Day Transition Period Ends
Although the new regulations went into effect on March 1, 2017, DFS has provided for a transition period, which ends after 180 days, or August 28, 2017. Covered Entities are required to be in compliance with a number of the new regulations by that date. Covered Entities will then have additional time to comply with certain enumerated regulations, which are described below.
February 15, 2018: First Certification of Compliance Due to DFS
Beginning on February 15, 2018, and continuing on an annual basis thereafter, Covered Entities must submit to the superintendent of DFS a written statement certifying that the Covered Entities are in compliance with the regulations.3
March 1, 2018: One-Year Additional Transition Period Ends
By March 1, 2018,4 a Covered Entity must be in compliance with the following provisions:
-
Regulations concerning the annual report of the Chief Information Security Officer (“CISO”) to the Covered Entity’s board of directors.5
-
Regulations concerning annual penetration testing and bi-annual vulnerability assessments of the Covered Entity’s Information Systems.6
-
Regulations concerning periodic risk assessment of the Covered Entity’s Information Systems.7
-
Regulations concerning the implementation of multi-factor authentication.8
-
Regulations concerning cybersecurity awareness training.9
September 1, 2018: 18-Month Additional Transition Period Ends
By September 1, 2018,10 a Covered Entity must be in compliance with the following provisions:
-
Regulations concerning reconstruction of material financial transactions and audit trails.11
-
Regulations concerning application security.12
-
Regulations concerning data retention and secure disposal of nonpublic information.13
-
Regulations concerning the monitoring of authorized users.14
-
Regulations concerning encryption of nonpublic information.15
March 1, 2019: Two-Year Additional Transition Period Ends
By March 1, 2019,16 a Covered Entity must be in compliance with regulations concerning third party service providers.17 Essentially, this regulation will require a Covered Entity to implement written policies and procedures designed to ensure that a Covered Entity’s vendors and other third parties with access to nonpublic information employ adequate cybersecurity practices.
1. 23 NYCRR § 500, available at http://www.dfs.ny.gov/legal/regulations/proposed/rp500t.pdf.
2. Press Release, N.Y. Dep’t of Fin. Servs., “DFS Issues Updated Proposed Cybersecurity Regulation Protecting Consumers and Financial Institutions” (Dec. 28, 2016), available at http://www.dfs.ny.gov/about/press/pr1612281.htm.
3. 23 NYCRR §§ 500.17(b), 500.21.
4. Id. § 500.22(b)(1).
5. Id. § 500.04(b).
6. Id. § 500.05.
7. Id. § 500.09.
8. Id. § 500.12.
9. Id. § 500.14(a)(2).
10. Id. § 500.22(b)(2).
11. Id. § 500.06.
12. Id. § 500.08.
13. Id. § 500.13.
14. Id. § 500.14(a)(1).
15. Id. § 500.15.
16. Id. § 500.22(b)(3).
17. Id. § 500.11.
