NY Department Of Financial Services Cybersecurity Regulation Now Effective

New York State's "first-in-the-nation" cybersecurity regulation became effective on August 28, 2017.

The New York Department of Financial Services ("DFS") cybersecurity regulation requires banks, insurance companies and other institutions regulated by the DFS ("covered entities") to implement a cybersecurity program to protect consumer data (see previous coverage). A covered entity is required to have (i) a written cybersecurity policy or policies approved by the entity's board of directors or a senior officer, (ii) a "Chief Information Security Officer" in place to protect data and systems, and (iii) other relevant "controls and plans" intended to fortify the safety of the financial services industry.

Firms also will be required to submit a Certification of Compliance annually that concerns the firm's cybersecurity compliance program. The first such Certificate must be submitted by February 15, 2018. The DFS now requires covered entities to submit notices of certain cybersecurity events to the DFS Superintendent within 72 hours of any occurrence. Covered entities will be able to report cybersecurity events through the DFS online cybersecurity portal. Institutions also will be able to use the portal to file notices of exemption.

DFS Superintendent Maria Vullo commented on the program:

Commentary / Steven Lofchie

As if the life of a compliance officer trying to manage technology risk was not worrisome enough, the NY DFS has now added a state-wide regulatory burden to their job. On the positive side, there is a three-day weekend coming.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.