New York-based financial firms have a month before they have to comply with the first of several deadlines in the New York Department of Financial Services cybersecurity regulations for financial services firms, which took effect March 1.
The regulations apply to any firm covered by the New York Banking Law, the Insurance Law or the Financial Services Law, although there are some exemptions, including firms with fewer than 10 employees, those with less than $5 million in gross annual revenue from their New York business operations over the last three years, or those with less than $10 million in total year-end assets.
New York-based branch offices of national banks would also be subject to the regulations, even if the bank does most of its business outside the state, including foreign banks, according to lawyers at BakerHostetler, a national law firm.
Exempt firms are only released from certain parts of the regulations, Melinda McLellan, a lawyer at BakerHostetler, said on a webinar on Thursday. They wouldn’t be required to appoint a chief information security officer or implement multifactor authentication, but they must still conduct risk assessments, implement a written cybersecurity policy that addresses third-party risk and access privileges, and develop data retention practices.
Firms that are exempt must file a notice with the Department of Financial Services within 30 days of determining their status, and provide an annual notice of their continued exemption every year.
Firms that lose their exemption status have 180 days to come into compliance with the regulations.
The regulation have multiple deadlines to give firms more time to comply with the more onerous restrictions.
As of Aug. 28, firms will have to implement a cybersecurity program and appoint a chief information security officer. Firms can outsource the CISO role, but firms need to ensure that person is “at the appropriate level at the company to take responsibility for exercising the oversight of the CISO,” according to Craig Hoffman of BakerHostetler.
One of the responsibilities of the CISO is to establish a cybersecurity plan and get it approved by the senior officer of licensing, Hoffman said.
Other requirements include limiting access to personal information, establishing an incident response plan, implementing defensive infrastructure and maintaining audit trails. Firms will have to report a cybersecurity event within 72 hours of discovering it.
Jonathan Forman noted the August requirements are probably the easiest to comply with. “For example, I’m sure most licensees already use some form of defensive infrastructure and have written cybersecurity practices in place.”