Compliance Deadline Approaching for NY Cybersecurity Regulation

Posted by

A key compliance date for the NY Cybersecurity Regulation is quickly approaching. September 4, 2018 will serve as the third key implementation date for individuals and companies (Covered Entities) governed by New York’s Cybersecurity Requirements for Financial Services Companies (23 NYCRR Part 500). Unless the Covered Entity qualifies for one of the exemptions under 23 NYCRR 500.19, by September 4, all Covered Entities must have completed the following*:

  • create and maintain systems that can reconstruct material financial transactions to support and maintain the obligations of the Covered Entity and include audit trials designed to deter and detect a hack or breach that has a reasonably likelihood of harming the material parts of the Covered Entity’s normal operations (23 NYCRR 500.06);
  • create and implement written policies and procedures designed to ensure the use of secure development practices when developing in-house applications and the evaluation and security testing of externally developed applications used by the Covered Entity (23 NYCRR 500.08);
  • create and implement policies and procedures for the secure disposal of any Nonpublic Information that is no longer necessary for business operations or other legitimate business purpose unless Covered Entity is required to maintain the information by law or disposal is not reasonably feasible because of how the information is maintained (23 NYCRR 500.13);
  • “[i]mplement risk-based policy, procedures and controls designed to monitor the activities of Authorized Users and detect unauthorized use or tampering with Nonpublic Information by such Authorized Users” (23 NYCRR 500.14(a)); and
  • implement controls, including encryption, to protect Nonpublic Information held or transmitted by the Covered Entity and ensure that these controls are reviewed by the CISO at least annually (23 NYCRR 500.15).

March 2, 2019 will serve as the final implementation compliance date.  Compliance deadlines, FAQs, and the cybersecurity portal can be found here.

*Please see the regulation for specific requirements.