Data Security Law Blog

Ninety Days and Counting: NY Cyber Regulation’s First Deadline

Faced with an approaching August 28th deadline, the more than 3,000 financial institutions that do business in New York should be knee-deep in implementing the first wave of requirements under the State’s sweeping and unprecedented cybersecurity regulation.

As readers of this blog know, New York’s powerful banking regulator, the Department of Financial Services, has enacted the country’s toughest cybersecurity regulation.   Effective as of March 1, 2017, the regulation requires banks, insurance companies and financial institutions under the agency’s supervision to design and implement a comprehensive, risk-based and accountability-driven set of data security safeguards and protections.  Although the deadlines for compliance are staggered, the August 28th requirements include:

▪ Designating a Chief Information Security Officer responsible for overseeing, implementing, and enforcing the institution’s Cybersecurity Policy;

▪ Putting in place a risk-based Cybersecurity Program “designed to protect the confidentiality, integrity and availability” of an institution’s information systems;

▪ Implementing a Cybersecurity Policy setting forth “policies and procedures” for the protection of the organization’s network and sensitive information;

▪ Board of director or senior officer approval of the Cybersecurity Policy;

▪ Limiting user privileges to information systems that provide access to nonpublic information;

▪ Ensuring that “qualified cybersecurity personnel” are used to “perform or oversee” core cybersecurity functions; and

▪ Establishing a “written incident response plan” to enable the institution to respond to a data security event.

These initial set of requirements are detailed and far-reaching in an increasingly complex regulatory environment.

Over the next three months, we will publish a series of blog posts that focus on these initial requirements and that look ahead to what’s required by the next set of deadlines including the first-ever U.S. data security requirement that either a board member or senior corporate officer file a sworn statement attesting to the institution’s compliance with the regulation.

As always, let us know if you have any questions.