Phase 3 Of New York’s Cyber Regulations Takes Effect

King & Spalding

As of September 4, 2018, financial institutions and other entities regulated by the New York State Department of Financial Services (“DFS”) must comply with the third of four compliance deadlines established by DFS’s new cybersecurity law. The regulations, enacted in March 2017, were touted by DFS as the nation’s first cybersecurity regulations aimed at protecting consumer data and financial systems from terrorist and other criminal elements.

The first of four transitional compliance phases took effect in August 2017 and required companies to develop and implement written cybersecurity policies and procedures. The most recent phase requires companies to meet five new milestones of primarily technical requirements.

In particular, Phase 3 requires regulated entities to maintain financial and cyber audit trails capable of reconstructing material financial transactions and to detect and respond to cybersecurity effects. In addition, regulated entities are required to encrypt nonpublic information to the extent doing so is “feasible” and to monitor network users to detect any unauthorized activity or access. Finally, those entities are expected to implement data retention limits and adopt guidelines and standards for secure development of internal applications. For external or off-the-shelf applications, entities must put in place procedures for evaluating and testing the security of those applications.

The fourth and final phase of DFS’s cyber regulations will take effect on March 1, 2019, and is widely considered to be the most burdensome. That phase will require covered businesses to have all of their third-party vendors in compliance with DFS standards governing the way the outsiders access the regulated company’s network and its most sensitive information. This third-party requirement would cover vendors ranging from outsourcing firms to accounting firms and even law firms. For larger financial institutions, this requirement could entail putting numerous vendors through assessments to ensure they have adequate cyber safeguards in place by March of next year.

According to DFS, the cybersecurity regulations it has imposed upon banks, insurance companies, and other financial services institutions regulated by DFS are “vital to the governance and components of a robust financial services cybersecurity program.”

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© King & Spalding | Attorney Advertising

Written by:

King & Spalding

King & Spalding on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.