On August 28, 2017, regulations first announced by the New York Department of Financial Services (“DFS”) in September 2016 took effect, marking the start of the first compliance period for covered financial institutions operating in New York state. Banks, insurance companies, and other financial services firms regulated by DFS are required to have, among other things, a cybersecurity program in place to protect customers’ private data; a written policy on cybersecurity approved by the board or a senior officer; a Chief Information Security Officer and other qualified personnel to oversee and manage the program and cybersecurity risks; and an incident response plan to respond to and recover from material cybersecurity events.
The New York compliance requirements are the first cybersecurity regulatory scheme of their kind. “This day marks a significant milestone in protecting the financial services industry and the consumers they serve from the threat of cyber-attacks,” said DFS Superintendent Maria T. Vullo in a press release. “With cyber-attacks on the rise and comprehensive federal cybersecurity policy lacking for the financial services industry, New York is leading the nation with strong cybersecurity regulation requiring, among other protective measures, set minimum standards of a cybersecurity program based on the risk assessment of the entity, personnel, training and controls in place in order to protect data and information systems. ”
Financial institutions that suffer material breaches must notify DFS within 72 hours of discovering the intrusion. DFS has set up a secure portal through which covered entities can submit notices of reportable cybersecurity events. The portal has previously been active for institutions to submit notices of exemption from portions of the requirements.
Additional compliance requirements announced by DFS as part of this initiative will take effect in phases, with deadlines forthcoming. For example, the requirement that a board officer or senior compliance officer certify a company’s cybersecurity controls are adequate, potentially opening those individuals up to criminal liability if the controls are found lacking, is slated to take effect in February 2018.
King & Spalding’s Data, Privacy & Security Practice Group previously covered the requirements of the DFS cybersecurity regulations in a Client Alert published August 8, 2017.