As of September 4, 2018, financial institutions and other entities regulated by the New York State Department of Financial Services (“DFS”) must comply with the third of four compliance deadlines established by DFS’s new cybersecurity law. The regulations, enacted in March 2017, were touted by DFS as the nation’s first cybersecurity regulations aimed at protecting consumer data and financial systems from terrorist and other criminal elements.
The first of four transitional compliance phases took effect in August 2017 and required companies to develop and implement written cybersecurity policies and procedures. The most recent phase requires companies to meet five new milestones of primarily technical requirements.
In particular, Phase 3 requires regulated entities to maintain financial and cyber audit trails capable of reconstructing material financial transactions and to detect and respond to cybersecurity effects. In addition, regulated entities are required to encrypt nonpublic information to the extent doing so is “feasible” and to monitor network users to detect any unauthorized activity or access. Finally, those entities are expected to implement data retention limits and adopt guidelines and standards for secure development of internal applications. For external or off-the-shelf applications, entities must put in place procedures for evaluating and testing the security of those applications.
The fourth and final phase of DFS’s cyber regulations will take effect on March 1, 2019, and is widely considered to be the most burdensome. That phase will require covered businesses to have all of their third-party vendors in compliance with DFS standards governing the way the outsiders access the regulated company’s network and its most sensitive information. This third-party requirement would cover vendors ranging from outsourcing firms to accounting firms and even law firms. For larger financial institutions, this requirement could entail putting numerous vendors through assessments to ensure they have adequate cyber safeguards in place by March of next year.
According to DFS, the cybersecurity regulations it has imposed upon banks, insurance companies, and other financial services institutions regulated by DFS are “vital to the governance and components of a robust financial services cybersecurity program.”