Sign Up for Alerts
Sign up to receive receive industry-specific emails from our legal team.
Sign Up for Alerts
We provide tailored, industry-specific legal updates to our clients and other friends of the firm.
Areas of Interest
August 10th, 2018
Are You Ready for the New York Cybersecurity Regulations’ September 3rd Deadline?
Financial institutions and insurance companies operating in New York have until September 3, 2018 to comply with the next phase of New York's Cybersecurity Regulations. Here's what you need to know to avoid regulatory scrutiny.
Who is covered? The New York State Department of Financial Services (NYDFS) Cybersecurity Regulations (23 NYCRR Part 500) impose rigorous cybersecurity measures for "Covered Entities" --e.g., insurance companies and agents, banks, credit reporting agencies, consumer lenders, mortgage brokers, and premium finance agencies that are operating, or required to operate, under a license, registration or similar authorization under New York's Banking, Insurance or Financial Services Laws. There are limited exemptions, including for small Covered Entities with fewer than 10 employees based in NY, less than $10 million in year-end total assets, or less than $5 million in gross annual revenue. While the regulations became effective on March 1, 2017, the implementation dates are staggered in order to give institutions time to comply. A number of regulations took effect in 2017 and early 2018.
What Covered Entities have to do. The next deadline is September 3, 2018, when Covered Entities are required to comply with provisions related to the following:
- Audit Trails (500.06): Covered Entities must maintain audit trails designed to detect and respond to cybersecurity incidents that have a reasonable likelihood of materially harming any material part of the normal operations of the Covered Entity (and keep such records for at least three years). They also must maintain systems designed to reconstruct material financial transactions sufficient to support normal operations and obligations of the Covered Entity (and keep such records for at least five years).
- Application Security (500.08): Each Covered Entity's cybersecurity program must include written procedures, guidelines and standards designed to ensure the use of secure development practices for in-house developed applications, as well as procedures for evaluating, assessing or testing the security of externally developed applications. Periodically, these must be reviewed, assessed, and updated (as necessary) by the Covered Entity's Chief Information Security Officer (CISO). The NYDFS issued an FAQ on this section, noting that compliance should be addressed when Covered Entities are acquiring or merging with a new company.
- Limitations on Data Retention (500.13): As part of its cybersecurity program, each Covered Entity must include policies and procedures for the secure disposal on a periodic basis of non-public information that is no longer necessary for a legitimate business purpose, except where such information is otherwise required to be retained by law or regulation, or where targeted disposal is not reasonably feasible. Small Covered Entities are not exempt from this regulation.
- Monitoring (500.14): Covered Entities must implement risk-based policies, procedures and controls designed to detect the unauthorized access, use of, or tampering with non-public information by Authorized Users.
- Encryption (500.15): All non-public information at rest and in transit must be encrypted. Covered Entities will have to certify their compliance with this regulation on an annual basis. To the extent encryption is infeasible, non-public information may be secured using "effective alternative compensating controls" that have been reviewed and approved by the Covered Entity's CISO.
By February 15, 2019, Covered Entities must submit a certification of compliance with respect to the above regulations, in addition to those requirements that were subject to the first certification made on or before February 15, 2018 and the regulations that had to be implemented by March 1, 2018. If you missed the February 15, 2018 deadline, you likely received a notice of non-compliance and should submit the NYDFS Certification of Compliance via the NYDFS cybersecurity portal as soon as possible.
The final transition period for the NYDFS Cybersecurity Regulations ends on March 1, 2019, when covered entities must be in compliance with the requirements regarding written security policies applicable to third party service providers. After that deadline, Covered Entities must submit a certification to the NY Superintendent of Financial Services on or before February 15 of each year.
Penalties. Penalties for noncompliance include monetary penalties, injunctive relief (e.g., possible revocation of a license), and a consent order requiring corrective action.
If you have questions about the NYDFS Cybersecurity Regulations, or about any other privacy and data security issues, please contact Caren Decter at 212 705 4833 or cdecter@fkks.com or any other member of the Frankfurt Kurnit Privacy & Data Security Group.
Read our other privacy and data security alerts here. Follow our "Focus on the Data" blog here.
Other Privacy & Data Security Law Alerts
Six Steps to Help Your Team Comply with the New SEC Public Company Cybersecurity Rules
On July 26, 2023, the Securities Exchange Commission (“SEC”) approved final Rules entitled Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure (the “Rules”). The Rules require certain cybersecurity incident disclosures on Form 8-K, generally within 4 business days after the determination that a cybersecurity incident is material. Read more.
August 1 2023
Five Action Items to Help You Prepare for the Wave of Privacy Enforcement Starting July 2023
Mark your calendars - July 2023 is an important month for US privacy enforcement. Read more.
June 21 2023
Washington “My Health My Data” Act Dramatically Alters Health Data Compliance Landscape
Washington State’s My Health My Data Act (“the Act”) introduces a sweeping set of obligations for nearly all entities that do business in the state and that handle “consumer health data,” a broad new class of health-related data separate from that regulated by the federal Health Insurance Portability and Accountability Act (“HIPAA”). Read more.
April 24 2023