On February 16, the New York State Department of Financial Services (NYDFS) issued cybersecurity regulations for banks, insurance companies and other financial institutions subject to NYDFS jurisdiction. The regulations, which take effect March 1, 2017, are available here. Entities subject to the regulations will have 180 days from the effective date to come into compliance with most requirements, though certain provisions allow up to two years after the effective date.1
First proposed in September 2016 and revised after two rounds of public comment, the regulations establish requirements that in some respects duplicate federal data security obligations for financial institutions, but in some important respects differ from and go beyond federal requirements. Notably, the NYDFS regulations rely on a definition of “Nonpublic Information” that must be protected that is considerably broader than the definition of “customer information” under the federal Interagency Guidelines Establishing Information Security Standards,2 and the regulations impose (i) obligations to report cybersecurity incidents to NYDFS, (ii) an annual certification requirement concerning compliance with the regulations, (iii) requirements concerning oversight of third-party service providers, (iv) obligations concerning use of multi-factor authentication and encryption, and (v) requirements concerning audit trail maintenance and document destruction.
via New York Finalizes Cybersecurity Regulations for Financial Institutions | WilmerHale