New York's Department of Financial Services has delayed the implementation of its controversial new cyber-security rules for banks based in the state.
NYDFS is planning to announce an updated version of the requirements on Dec. 28, pushing the effective date to March 1, 2017.
First proposed in September, the regulation will require that banks, insurance companies, and other financial services institutions overseen by the NYDFS establish a cyber-security program; adopt a written cyber-security policy; designate a CISO responsible for implementing, overseeing, and enforcing its new program and policy; and have policies and procedures designed to ensure the security of information systems and non-public information accessible to, or held by, third-parties.
The cyber-security policy, prepared on at least an annual basis, must be reviewed by a firm’s board of directors and approved by a senior officer.
The CISO of each covered entity is required to develop a report, at least bi-annually, that is presented to the board of directors or equivalent governing body and made available to the superintendent upon request. This report must assess the confidentiality, integrity, and availability of the firm’s information systems; detail exceptions to the cyber-security policies and procedures; identify cyber-risks; assess the effectiveness of the cyber-security program; propose steps to remediate any identified inadequacies; and include a summary of all material cyber-security events during the time period addressed by the report.
On an annual basis, by Jan. 15, each firm is required to provide the NYDFS superintendent a written statement certifying that they are in compliance with all requirements. The identification of any material risk of imminent harm relating to its cyber-security program requires that the superintendent be notified within 72 hours.
A limited exemption is included in the rule for firms with fewer than 1,000 customers in each of the last three calendar years, less than $5 million in gross annual revenue in each of the last three fiscal years, and less than $10 million in year-end total assets, calculated in accordance Generally Accepted Accounting Principles.