NYDFS finalizes cybersecurity regulations for New York financial institutions
The New York State Department of Financial Services (NYDFS) recently issued cybersecurity regulations that require New York banks, insurance companies and other financial institutions to create and maintain a cybersecurity program designed to protect consumers and the financial services industry at large, according to a report by Mondaq.
The regulations, which take effect on March 1, require all applicable entities subject to come into compliance with most requirements within 180 days of the effective date. However, certain requirements allow up to two years after the effective date.
Initially proposed last September and revised after two rounds of public comment, the new cybersecurity guidelines mirror several existing federal data security requirements for financial institutions while being somewhat broader.
The new requirements rely on a definition of “Nonpublic Information” that is more comprehensive than the definition of “customer information” under the federal Interagency Guidelines Establishing Information Security Standards.
The regulations apply to “covered entities”, which includes any individual or any non-government entity that operates under or is required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the New York State Banking Law, Insurance Law or Financial Services Law.
The regulations impose obligations to report cybersecurity incidents to NYDFS, an annual certification requirement concerning compliance with the regulations, requirements concerning oversight of third-party service providers, obligations concerning use of multi-factor authentication and encryption, and requirements concerning audit trail maintenance and document destruction.
The risk-based requirements include minimum standards wherein covered entities are obligated to continually update their cybersecurity program to reflect new technological advances.
All New York financial institutions must implement security measures to prevent and avoid cyber breaches, including controls relating to the governance framework for a cybersecurity program.
Another key requirement is the implementation of risk-based minimum standards for technology systems, including access controls, data protection including encryption and penetration testing.
Covered entities must have minimum standards in place that address any cyber breaches, including an incident response plan, preservation of data to respond to such breaches and notice to DFS of material events.
Finally, New York financial institutions are required to provide identification and documentation of material deficiencies, remediation plans and annual certifications of regulatory compliance to DFS.
Starting February 15, 2018, all covered entities must annually prepare and submit to the Superintendent of Financial Services a “Certification of Compliance with New York State Department of Financial Services Cybersecurity Regulations”.
Earlier this month, New York banks, insurance companies and other financial institutions said they are preparing to adopt multi-factor authentication including biometrics in compliance with the NYDFS’s new cybersecurity rules.