Next Phase Begins for DFS Cybersecurity Regulations

Financial Services Law

A reminder from the New York Department of Financial Services (DFS): Beginning Sept. 4, all banks, insurance companies and other financial services institutions regulated by the DFS must begin complying with several additional requirements of the agency’s landmark cybersecurity regulation.

Entities face several new tasks as the latest regulatory transition period comes to an end. These include mandatory annual corporate reporting requirements, use of encryption for nonpublic information, audit trails for certain financial transactions and procedures for monitoring individuals with access to sensitive information.

What happened

The “Cybersecurity Requirements for Financial Services Companies” took effect in March 2017 for banks, insurance companies, money services businesses and other financial services institutions under DFS jurisdiction.

Implementation of the regulations has occurred gradually, with several compliance deadlines occurring in the meantime. Last February, covered entities were required to visit the DFS portal to certify their compliance with the regulation for the 2017 calendar year. The next compliance deadline is Sept. 4.

Among the most sweeping cybersecurity regimes in the nation, the regulations require covered entities to assess their specific risk profile and design programs that “ensure the confidentiality, integrity and availability” of the covered entity’s information systems and “nonpublic information,” including any business-related information, information provided to a covered entity, healthcare information and personally identifiable information.

Further, covered entities must establish written cybersecurity policies covering topics ranging from business continuity and disaster recovery planning to physical security and environmental controls to designation of a chief information security officer who is required to file with their governance boards annual reports on their entities’ cybersecurity programs and material cybersecurity risks.

Businesses must also design audit trails allowing reconstruction of important financial transactions so that normal operations may continue in the event of a cybersecurity breach. Policies and procedures must be adopted to require secure development practices for information technology personnel and disposal of nonpublic information that is no longer needed for business operations.

Also on the imminent to-do list: encryption of nonpublic information and the implementation of a monitoring system that includes risk-based monitoring of all persons who access or use any of the company’s information systems or who access or use the company’s nonpublic information.

The DFS noted that the new wave of requirements won’t be the last under this regulation. By next March, covered entities that utilize third-party data service providers will also be required to evaluate the risk that any such providers pose to the security of their data and data system and to ensure those systems and data are adequately protected.

To read the DFS regulation, click here.

To read the related DFS media release, click here.

Why it matters

“September 4th marks another important milestone in further protecting the financial services industry and the consumers they serve from the threat of cyberattacks, thanks to DFS’s landmark cybersecurity regulations,” DFS Superintendent Maria T. Vullo said in a statement. “These new protections, which include encryption, access controls and audit trails, add crucial tools to the regulation’s prior requirements in protecting the institutions and consumers.”

For some regulated entities, many of these requirements may be substantially similar to internal security policies or business partner obligations that conform to existing industry standards and other best practices. Other entities may still be laboring to conform their security programs to these complex new standards—in particular, the new audit trail requirement. With this third compliance deadline and the final March 1, 2019, milestone for the third-party service provider requirements, these practices now have the authority of law in New York.



pursuant to New York DR 2-101(f)

© 2024 Manatt, Phelps & Phillips, LLP.

All rights reserved