Earlier this month, the new cybersecurity regulation from the New York Department of Financial Services (“DFS“) took effect. The new regulation requires banks, insurance companies and other financial services institutions regulated by the DFS to establish and maintain a cybersecurity program designed to protect consumers and ensure the safety and soundness of New York State’s financial services industry.
The final cybersecurity regulation is very similar to the proposed regulation, which we reported on in a previous post, but contains a few notable changes:
- Record retention requirements for audit trails designed to detect and respond to Cybersecurity Events were reduced from five years to three years.
- Clarification that Covered Entities’ policies and procedures regarding notice to be provided by Third Party Service Providers of Cybersecurity Events cover only Covered Entity’s Nonpublic Information being held by the Third Party Service Provider.
- Clarification of the circumstances under which a Covered Entity must provide notice of Cybersecurity Event to the Superintendent.
- The limited exemptions have been revised to specifically include the number of employees and the gross annual revenue of a Covered Entity’s affiliates located in New York.
- Clarification on the exemptions available for companies regulated under New York’s Insurance Law.
Financial institutions in other states may wish to pay particular attention to this “first-in-the-nation cybersecurity regulation” issued by a state financial regulator, particularly as it may be only a matter of time before other states follow New York’s lead.
The DFS regulation, 23 N.Y.C.R.R. Part 500, is available here.