The New York State Department of Financial Services reminded all regulated entities covered by its landmark cybersecurity regulation that the third transitional period of New York’s first-in-the-nation cybersecurity regulation ends in early September. Beginning on September 4, 2018, banks, insurance companies, and other financial services institutions regulated by DFS are required to have come into compliance with several additional provisions of the cybersecurity regulation that are vital to the governance and components of a robust financial services cybersecurity program.
Superintendent Maria Vullo said: “New York stepped into the void and took decisive action to ensure appropriate minimum standards protecting financial institutions’ data systems, including consumers’ sensitive personal information. These new protections, which include encryption, access controls and audit trails, add crucial tools to the regulation’s prior requirements in protecting the institutions and consumers.”
Companies will be required to have commenced mandatory annual reporting to the board by the Chief Information Security Officer concerning critical aspects of the cybersecurity program, have an audit trail designed to reconstruct material financial transactions sufficient to support normal operations in the event of a breach, and will need to have policies and procedures in place to ensure the use of secure development practices for IT personnel that develop applications for the Covered Entity.
Companies also must implement encryption to protect nonpublic information held or transmitted by the company. Entities are also required to have developed policies and procedures to ensure secure disposal of information that is no longer necessary for the business operations, and must have implemented a monitoring system that includes risk-based monitoring of all persons who access or use any of the company’s information systems or who access or use the company’s nonpublic information.
DFS also reminded regulated entities that under DFS’s regulation, if they utilize third-party service providers, they must evaluate the risk posed to the security of those systems and data and ensure those systems and data are protected by March 1, 2019.