New York State’s “first-in-the-nation” cybersecurity regulation became effective on August 28, 2017.
The New York Department of Financial Services (“DFS”) cybersecurity regulation requires banks, insurance companies and other institutions regulated by the DFS (“covered entities”) to implement a cybersecurity program to protect consumer data (see previous coverage). A covered entity is required to have (i) a written cybersecurity policy or policies approved by the entity’s board of directors or a senior officer, (ii) a “Chief Information Security Officer” in place to protect data and systems, and (iii) other relevant “controls and plans” intended to fortify the safety of the financial services industry.
Firms also will be required to submit a Certification of Compliance annually that concerns the firm’s cybersecurity compliance program. The first such Certificate must be submitted by February 15, 2018. The DFS now requires covered entities to submit notices of certain cybersecurity events to the DFS Superintendent within 72 hours of any occurrence. Covered entities will be able to report cybersecurity events through the DFS online cybersecurity portal. Institutions also will be able to use the portal to file notices of exemption.
DFS Superintendent Maria Vullo commented on the program:
“With cyber-attacks on the rise and comprehensive federal cybersecurity policy lacking for the financial services industry, New York is leading the nation with strong cybersecurity regulation requiring, among other protective measures, set minimum standards of a cybersecurity program based on the risk assessment of the entity, personnel, training and controls in place in order to protect data and information systems.”
Lofchie Comment: As if the life of a compliance officer trying to manage technology risk was not worrisome enough, the NY DFS has now added a state-wide regulatory burden to their job. On the positive side, there is a three-day weekend coming.