Financial institutions and insurance companies operating in New York have until September 3, 2018 to comply with the next phase of New York’s Cybersecurity Regulations. Here’s what you need to know to avoid regulatory scrutiny.
Who is covered? The New York State Department of Financial Services (NYDFS) Cybersecurity Regulations (23 NYCRR Part 500) impose rigorous cybersecurity measures for “Covered Entities” –e.g., insurance companies and agents, banks, credit reporting agencies, consumer lenders, mortgage brokers, and premium finance agencies that are operating, or required to operate, under a license, registration or similar authorization under New York’s Banking, Insurance or Financial Services Laws. There are limited exemptions, including for small Covered Entities with fewer than 10 employees based in NY, less than $10 million in year-end total assets, or less than $5 million in gross annual revenue. While the regulations became effective on March 1, 2017, the implementation dates are staggered in order to give institutions time to comply. A number of regulations took effect in 2017 and early 2018.
What Covered Entities have to do. The next deadline is September 3, 2018, when Covered Entities are required to comply with provisions related to the following:
- Audit Trails (500.06): Covered Entities must maintain audit trails designed to detect and respond to cybersecurity incidents that have a reasonable likelihood of materially harming any material part of the normal operations of the Covered Entity (and keep such records for at least three years). They also must maintain systems designed to reconstruct material financial transactions sufficient to support normal operations and obligations of the Covered Entity (and keep such records for at least five years).
- Application Security (500.08): Each Covered Entity’s cybersecurity program must include written procedures, guidelines and standards designed to ensure the use of secure development practices for in-house developed applications, as well as procedures for evaluating, assessing or testing the security of externally developed applications. Periodically, these must be reviewed, assessed, and updated (as necessary) by the Covered Entity’s Chief Information Security Officer (CISO). The NYDFS issued an FAQ on this section, noting that compliance should be addressed when Covered Entities are acquiring or merging with a new company.
- Limitations on Data Retention (500.13): As part of its cybersecurity program, each Covered Entity must include policies and procedures for the secure disposal on a periodic basis of non-public information that is no longer necessary for a legitimate business purpose, except where such information is otherwise required to be retained by law or regulation, or where targeted disposal is not reasonably feasible. Small Covered Entities are not exempt from this regulation.
- Monitoring (500.14): Covered Entities must implement risk-based policies, procedures and controls designed to detect the unauthorized access, use of, or tampering with non-public information by Authorized Users.
- Encryption (500.15): All non-public information at rest and in transit must be encrypted. Covered Entities will have to certify their compliance with this regulation on an annual basis. To the extent encryption is infeasible, non-public information may be secured using “effective alternative compensating controls” that have been reviewed and approved by the Covered Entity’s CISO.
By February 15, 2019, Covered Entities must submit a certification of compliance with respect to the above regulations, in addition to those requirements that were subject to the first certification made on or before February 15, 2018 and the regulations that had to be implemented by March 1, 2018. If you missed the February 15, 2018 deadline, you likely received a notice of non-compliance and should submit the NYDFS Certification of Compliance via the NYDFS cybersecurity portal as soon as possible.
The final transition period for the NYDFS Cybersecurity Regulations ends on March 1, 2019, when covered entities must be in compliance with the requirements regarding written security policies applicable to third party service providers. After that deadline, Covered Entities must submit a certification to the NY Superintendent of Financial Services on or before February 15 of each year.
Penalties. Penalties for noncompliance include monetary penalties, injunctive relief (e.g., possible revocation of a license), and a consent order requiring corrective action.