NYDFS: Implementation deadline for cyber-security regulation approaching

The final implementation period for the New York Department of Financial Services’ landmark cyber-security regulation ends March 1, meaning that DFS-regulated entities and licensed persons covered by the regulation must be in full compliance by that time.

New York’s first-in-the-nation cyber-security regulation became effective March 1, 2017. The DFS implemented a two-year timeline for implementation of the regulation’s requirements, with a final compliance deadline of March 1.

The final step in the implementation timeline requires regulated entities that use third-party providers to put in place policies and procedures ensuring the security of information systems and non-public information accessible to, or held by, such providers. Superintendent Vullo reminded all regulated entities that the second certification of compliance covering the prior calendar year must be filed electronically via the DFS cybersecurity portal on or before Feb. 15

“Two years ago, DFS took steps to address the significant issue of cyber-security, issuing a first-in-the-nation regulation protecting the financial services industry and consumers from the ever-increasing threat of data breaches and cyber-attacks,” NYDFS Superintendent Maria Vullo said in a recent statement. “With the deadline for final implementation nearing, all DFS-regulated institutions should now have in place a comprehensive risk-based cyber-security program and adequate controls to protect their information systems, with senior-level attention to these protections.”

“This regulation, which demonstrates the importance of strong state regulation and has set a national model, will provide much-needed protections for the financial services industry and consumers well into the future,” Vullo added.

All banks, insurance companies, and other financial services institutions and licensees regulated by DFS are now required to have:

• A cyber-security program in place that is designed to protect consumers’ private data;
• A written policy or policies that are approved by the board or a senior officer;
• A chief information security officer to help protect data and systems;
• Protections of data at third-party providers; and
• Controls and plans in place to help ensure the safety and soundness of New York’s financial services industry.

Covered entities and licensees must also report cyber-security events to the DFS through the Department’s secure online cybersecurity portal. A copy of the cybersecurity regulation and a set of frequently asked questions can also be found on the portal.