New York-based financial firms have a month before they have to comply with the first of several deadlines in the New York Department of Financial Services cybersecurity regulations for financial services firms, which took effect March 1.
The regulations apply to any firm covered by the New York Banking Law, the Insurance Law or the Financial Services Law, although there are some exemptions, including firms with fewer than 10 employees, those with less than $5 million in gross annual revenue from their New York business operations over the last three years, or those with less than $10 million in total year-end assets.
New York-based branch offices of national banks would also be subject to the regulations, even if the bank does most of its business outside the state, including foreign banks, according to lawyers at BakerHostetler, a national law firm.
Exempt firms are only released from certain parts of the regulations, Melinda McLellan, a lawyer at BakerHostetler, said on a webinar on Thursday. They wouldn’t be required to appoint a chief information security officer or implement multifactor authentication, but they must still conduct risk assessments, implement a written cybersecurity policy that addresses third-party risk and access privileges, and develop data retention practices.
Firms that are exempt must file a notice with the Department of Financial Services within 30 days of determining their status, and provide an annual notice of their continued exemption every year.
Firms that lose their exemption status have 180 days to come into compliance with the regulations.
The regulation have multiple deadlines to give firms more time to comply with the more onerous restrictions.
As of Aug. 28, firms will have to implement a cybersecurity program and appoint a chief information security officer. Firms can outsource the CISO role, but firms need to ensure that person is “at the appropriate level at the company to take responsibility for exercising the oversight of the CISO,” according to Craig Hoffman of BakerHostetler.
One of the responsibilities of the CISO is to establish a cybersecurity plan and get it approved by the senior officer of licensing, Hoffman said.
Other requirements include limiting access to personal information, establishing an incident response plan, implementing defensive infrastructure and maintaining audit trails. Firms will have to report a cybersecurity event within 72 hours of discovering it.
Jonathan Forman noted the August requirements are probably the easiest to comply with. “For example, I’m sure most licensees already use some form of defensive infrastructure and have written cybersecurity practices in place.”
By March 1, 2018, firms will have to identify critical systems and data, and how they keep them operational. Although the requirement to begin conducting periodic risk assessments doesn’t kick in until after the Aug. 28 deadline, McLellan noted, “It would be difficult to establish a cybersecurity program based on a risk assessment if you haven’t already done one.”
The CISO must begin reporting to the firm’s board of directors and develop cybersecurity training plans for their employees by this deadline.
“Most entities in the space should already have cybersecurity training in place for their employees, but to the extent that the program hasn’t been formalized, or isn’t up to speed or it needs to be amended … that would have to be up to date by March 1,” McLellan said.
This is also the deadline for firms to begin conducting continuous monitoring or annual penetration testing with biannual vulnerability assessments, and to introduce multifactor authentication.
By next fall, firms will have to start maintaining audit trails for five years, including the ability to establish and reconstruct financial transactions.
They must implement disposal policies for nonpublic personal information and encrypt NPI both in transit and at rest. This requirement may bedevil some firms, as Hoffman pointed out that older servers can’t simply be “retrofit to work with encryption technology.”
Firms must have secure development practices for any internal or external applications they use, including cloud-based apps, and begin monitoring user activity by the Sept. 3, 2018, deadline.
The third-party risk management requirement takes effect with the March 1, 2019, deadline. Cybersecurity programs should be updated to address due diligence policies and procedures, as well as adding contractual provisions regarding cybersecurity in agreements with vendors.
“That might be why this is not coming into effect until March 1 of 2019 because it can be a bit of a time-consuming process to amend those vendor contacts or, if your vendor won’t go along with it, to find a new vendor,” McLellan said.
— Read Centennial State Sets Cybersecurity Example on ThinkAdvisor.
Correction: This article has been updated to correct the spelling of Jonathan Forman’s first name, and to clarify that BakerHostetler is a national law firm.