On March 1, 2017 the New York State Department of Financial Services’ (NY DFS) Cybersecurity Requirements for Financial Services Companies (the Regulations) went into effect. The Regulations apply to any entity or organization “operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization” under New York (United States) banking law, insurance law, or financial services laws. Certain entities are exempt, and the Regulations do not apply to national banks. The Regulations may present compliance challenges for covered entities, and all entities will also need to consider what U.S. federal cybersecurity rules or guidance may also apply.
Among the requirements, covered entities must conduct a risk assessment to evaluate and identify cybersecurity risks to the organization, and develop a cybersecurity program and policy designed to address those identified risks and protect the entity’s systems and nonpublic information stored on those systems. The cybersecurity program must include policies for functions or risks that in many organizations may fall outside the Chief Information Security Officer’s (CISO) or information security’s domain. The Regulations identify specific areas to be covered by the cybersecurity program, and the program must be approved by a senior officer or the board of directors, or equivalent governing body.
The NY DFS Regulations also require covered entities to employ a CISO to design and oversee the cybersecurity program and policy, and describe the CISO’s responsibilities and reporting requirements. Certain controls and testing are mandated under the Regulations, and require that a covered entity provide notice of a “cybersecurity event” to the DFS where notice is required under applicable law or regulation, or where there is a reasonable likelihood of material harm to the normal operations of the entity. Other notable mandates under the Regulations include periodic risk assessments, properly trained personnel, employee training, vendor management, and a defined incident response plan.
Although the Regulations are now in effect, covered entities have an initial 180 day transition period to comply with many of the Regulations’ requirements, and up to two years for certain requirements. The Regulations will also, as a practical matter, have an impact beyond New York’s borders as covered entities who do business not only in that state but others take steps to comply. For questions about how the Regulations may affect your organization, and what steps to take to comply with them, meet with your Ally Law member firm banking and regulatory attorneys. If you are not aware of cybersecurity laws and regulations in your entity’s country of incorporation as well as the countries in which your entity does business you should also seek clarification from your local Ally Law member firm. For more information about Ally Law member firm services and outstanding lawyers, contact us at email@example.com.