Our Voices

Are You Ready for March 1st?

New York Cybersecurity Regulation Transitional Period for Financial Services Ends March 1, 2019

By: Anna S. Park

On March 1, 2019, the two-year implementation period under the New York State Department of Financial Services ("DFS") Cybersecurity Regulation, 23 NYCRR 500 (the "Regulation"), will expire and the final requirement (third party service providers) will become effective.

Regulation Overview

Under the Regulation, all Covered Entities (which includes banks, insurance companies, and other financial services institutions and licensees regulated by DFS) are required to adopt a robust cybersecurity program designed to protect the confidentiality, integrity, and availability of Information Systems and Nonpublic Information. A robust cybersecurity program must include, among other things:

  • A written cybersecurity policy;

  • The designation of a qualified CISO (Chief Information Security Officer);

  • Cybersecurity risk assessments;

  • The retention of qualified cybersecurity personnel with regular training and monitoring for all authorized users;

  • The continuous monitoring or periodic penetration testing and vulnerability assessments;

  • Effective access privileges;

  • Effective controls which may include multi-factor authentication and encryption; and

  • Recovery and audit trails.

It must also include an annual compliance certification. All Covered Entities must file with the Superintendent of the DFS an annual Certificate of Compliance on or before February 15 certifying that the Covered Entity complied with the Regulation in the previous calendar year. The Superintendent may enforce the Regulation under any applicable law.

March 1, 2019 Deadline: Third-Party Service Provider Program

By March 1, 2019, all Covered Entities are required to comply with Section 500.11 of the Regulation as the final phase of the two-year transitional period. Under Section 500.11, all Covered Entities must have written policies and procedures in place that are aimed to secure Information Systems and Non-Public Information held by or accessible to Third Party Service Providers ("TSP"). The Covered Entities' policies and procedures must include:

  • The identification and risk assessment of all TSPs;

  • Minimum cybersecurity practices required of each TSP;

  • Due diligence processes used by the Covered Entity to evaluate the adequacy of each TSP's cybersecurity practices; and

  • Periodic assessment of each TSP to confirm that they are meeting the requirements.

In addition, each Covered Entity's policies and procedures must include relevant guidelines for due diligence and/or contractual protections relating to TSPs, including guidelines for:

  • Addressing TSP policies and procedures for access controls, including use of multi-factor authentication and encryption;

  • Providing notice to the Covered Entity in the event of a Cybersecurity Event; and

  • Representations and warranties addressing the TSP's policies and procedures that relate to the security of the Covered Entity.

Take Away

The Regulation is designed to "bolster the financial services industry's defenses against cybersecurity attacks" in order to safeguard consumers' private information and protect them and the market. Cyberattacks are no longer an issue of "if" but a question of "when" and "when do you discover it." Many parts of the Regulation require risk assessment by Covered Entities, recognizing that cybersecurity programs are not one-size-fits-all and that each Covered Entity will develop a cybersecurity program that works for it. Have you implemented a robust and defensible risk assessment program? Have you implemented cybersecurity policies and procedures that respond to your risk assessment and bring you in compliance with the Regulation? Will your program, including your TSP program, protect you from cyber vulnerabilities?

For more information please contact:

Anna S. Park apark@ckrlaw.com
Kristie Blase kblase@ckrlaw.com