August 10th, 2018
Are You Ready for the New York Cybersecurity Regulations’ September 3rd Deadline?
Financial institutions and insurance companies operating in New York have until September 3, 2018 to comply with the next phase of New York's Cybersecurity Regulations. Here's what you need to know to avoid regulatory scrutiny.
Who is covered? The New York State Department of Financial Services (NYDFS) Cybersecurity Regulations (23 NYCRR Part 500) impose rigorous cybersecurity measures for "Covered Entities" --e.g., insurance companies and agents, banks, credit reporting agencies, consumer lenders, mortgage brokers, and premium finance agencies that are operating, or required to operate, under a license, registration or similar authorization under New York's Banking, Insurance or Financial Services Laws. There are limited exemptions, including for small Covered Entities with fewer than 10 employees based in NY, less than $10 million in year-end total assets, or less than $5 million in gross annual revenue. While the regulations became effective on March 1, 2017, the implementation dates are staggered in order to give institutions time to comply. A number of regulations took effect in 2017 and early 2018.
What Covered Entities have to do. The next deadline is September 3, 2018, when Covered Entities are required to comply with provisions related to the following:
- Audit Trails (500.06): Covered Entities must maintain audit trails designed to detect and respond to cybersecurity incidents that have a reasonable likelihood of materially harming any material part of the normal operations of the Covered Entity (and keep such records for at least three years). They also must maintain systems designed to reconstruct material financial transactions sufficient to support normal operations and obligations of the Covered Entity (and keep such records for at least five years).
- Application Security (500.08): Each Covered Entity's cybersecurity program must include written procedures, guidelines and standards designed to ensure the use of secure development practices for in-house developed applications, as well as procedures for evaluating, assessing or testing the security of externally developed applications. Periodically, these must be reviewed, assessed, and updated (as necessary) by the Covered Entity's Chief Information Security Officer (CISO). The NYDFS issued an FAQ on this section, noting that compliance should be addressed when Covered Entities are acquiring or merging with a new company.
- Limitations on Data Retention (500.13): As part of its cybersecurity program, each Covered Entity must include policies and procedures for the secure disposal on a periodic basis of non-public information that is no longer necessary for a legitimate business purpose, except where such information is otherwise required to be retained by law or regulation, or where targeted disposal is not reasonably feasible. Small Covered Entities are not exempt from this regulation.
- Monitoring (500.14): Covered Entities must implement risk-based policies, procedures and controls designed to detect the unauthorized access, use of, or tampering with non-public information by Authorized Users.
- Encryption (500.15): All non-public information at rest and in transit must be encrypted. Covered Entities will have to certify their compliance with this regulation on an annual basis. To the extent encryption is infeasible, non-public information may be secured using "effective alternative compensating controls" that have been reviewed and approved by the Covered Entity's CISO.
By February 15, 2019, Covered Entities must submit a certification of compliance with respect to the above regulations, in addition to those requirements that were subject to the first certification made on or before February 15, 2018 and the regulations that had to be implemented by March 1, 2018. If you missed the February 15, 2018 deadline, you likely received a notice of non-compliance and should submit the NYDFS Certification of Compliance via the NYDFS cybersecurity portal as soon as possible.
The final transition period for the NYDFS Cybersecurity Regulations ends on March 1, 2019, when covered entities must be in compliance with the requirements regarding written security policies applicable to third party service providers. After that deadline, Covered Entities must submit a certification to the NY Superintendent of Financial Services on or before February 15 of each year.
Penalties. Penalties for noncompliance include monetary penalties, injunctive relief (e.g., possible revocation of a license), and a consent order requiring corrective action.
If you have questions about the NYDFS Cybersecurity Regulations, or about any other privacy and data security issues, please contact Caren Decter at 212 705 4833 or firstname.lastname@example.org or Tanya Forsheit at 310 579 9615 or email@example.com, or any other member of the Frankfurt Kurnit Privacy & Data Security Group.
Read our other privacy and data security alerts here. Follow our "Focus on the Data" blog here.
End of Summer Sports News
Here’s what’s happening at the intersection of sports, marketing, and entertainment law as we leave Summer. Read more.
September 6 2019
Employee Classification Update: California’s AB 5 Stalls in State Senate
Here is an update for all employers with employees or independent contractors in California. Read more.
August 14 2019
Business Takeaways from the FTC $5 Billion Settlement with Facebook
On July 24, 2019, the FTC announced a $5 billion settlement with Facebook to address Facebook’s alleged violations of the FTC Act and its 2012 consent order with the FTC. Read more.
July 26 2019