Ninety Days and Counting: NY Cyber Regulation’s First Deadline

Patterson Belknap Webb & Tyler LLP
Contact

Faced with an approaching August 28th deadline, the more than 3,000 financial institutions that do business in New York should be knee-deep in implementing the first wave of requirements under the State’s sweeping and unprecedented cybersecurity regulation.

As readers of this blog know, New York’s powerful banking regulator, the Department of Financial Services, has enacted the country’s toughest cybersecurity regulation.   Effective as of March 1, 2017, the regulation requires banks, insurance companies and financial institutions under the agency’s supervision to design and implement a comprehensive, risk-based and accountability-driven set of data security safeguards and protections.  Although the deadlines for compliance are staggered, the August 28th requirements include:

? Designating a Chief Information Security Officer responsible for overseeing, implementing, and enforcing the institution’s Cybersecurity Policy;

? Putting in place a risk-based Cybersecurity Program “designed to protect the confidentiality, integrity and availability” of an institution’s information systems;

? Implementing a Cybersecurity Policy setting forth “policies and procedures” for the protection of the organization’s network and sensitive information;

? Board of director or senior officer approval of the Cybersecurity Policy;

? Limiting user privileges to information systems that provide access to nonpublic information;

? Ensuring that “qualified cybersecurity personnel” are used to “perform or oversee” core cybersecurity functions; and

? Establishing a “written incident response plan” to enable the institution to respond to a data security event.

These initial set of requirements are detailed and far-reaching in an increasingly complex regulatory environment.

Over the next three months, we will publish a series of blog posts that focus on these initial requirements and that look ahead to what’s required by the next set of deadlines including the first-ever U.S. data security requirement that either a board member or senior corporate officer file a sworn statement attesting to the institution’s compliance with the regulation.

 

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Patterson Belknap Webb & Tyler LLP | Attorney Advertising

Written by:

Patterson Belknap Webb & Tyler LLP
Contact
more
less

Patterson Belknap Webb & Tyler LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.