NYDFS reminds covered entities of upcoming cybersecurity regulation compliance dates; updates FAQs

State Issues NYDFS Privacy/Cyber Risk & Data Security 23 NYCRR Part 500

On August 8, the New York Department of Financial Services (NYDFS) issued a reminder for regulated entities required to comply with the state’s cybersecurity requirements under 23 NYCRR Part 500 that the third transitional period ends September 4. Banks, insurance companies, and other financial services institutions (collectively, “covered entities”) that are required to implement a cybersecurity program to protect consumer data must be in compliance with additional provisions of the cybersecurity regulation by this date. As of September 4, a covered entity must (i) start presenting annual reports to the board by the Chief Information Security Officer on “critical aspects of the cybersecurity program”; (ii) create an “audit trail designed to reconstruct material financial transactions” in case of a breach; (iii) institute policies and procedures to ensure the use of “secure development practices for IT personnel that develop applications”; and (iv) implement encryption to protect nonpublic information it holds or transmits. Covered entities are also required to have policies and procedures in place “to ensure secure disposal of information that is no longer necessary for the business operations, and must have implemented a monitoring system that includes risk based monitoring of all persons who access or use any of the company’s information systems or who access or use the company’s nonpublic information.” Covered entities are further reminded that they have until March 1, 2019, to assess the risks presented by the use of a third-party service provider to ensure the protection of their security systems and data.

In coordination with the reminder, NYDFS provided new updates to its FAQs related to 23 NYCRR Part 500. The original promulgation of the FAQs was covered in InfoBytes, as were the last updates in February and March. The four new updates to the FAQs add the following guidance:

• Clarifies that in certain circumstances, an entity can be a covered entity, an authorized user, and a third party service provider, and therefore must comply fully with all applicable provisions;
• Outlines specific compliance provisions for covered entities that have limited exemptions from the NYDFS cybersecurity requirements;
• Identifies a covered entity’s responsibilities when addressing cybersecurity risks with respect to bank holding companies; and
• Clarifies situations and requirements for when a covered entity can rely upon the cybersecurity program that another covered entity has implemented for a common trust fund.

Find continuing InfoBytes coverage on NYDFS’ cybersecurity regulations here.