NYDFS cyber rules go live this week - What financial institutions need to know
Thursday, August 31, 2017
Posted by: Brian Monroe
By Brian Monroe
August 30, 2017
This week marked the first major compliance deadline for New York’s first-in-the-nation cybersecurity regulations requiring financial institutions to bolster virtual protections and training, more quickly report breaches and designate a top cyber officer to manage the program.
The New York State Department of Financial Services (NYDFS) regulations, released as proposed rules nearly a year ago, are an acknowledgement of the ever-increasing aggressiveness of cyber threat actors in recent years.
The threats come from an array of illicit actors, including organized criminal networks, foreign nation-state spies, fame-seeking digital anti-heroes and idealist hacktivists. The attacks can also range from mindless phishing emails, to more directed and personalized business email compromise attacks that play on the weakest link in a company’s defenses – the human element.
As of Monday, banks, insurance companies and other entities considered financial institutions must have in place a cybersecurity program designed to protect consumers’ private data consisting of several key components:
· A written policy or policies that are approved by the board or a senior officer.
· A Chief Information Security Officer to help protect data and systems.
· Controls and plans in place to help ensure the safety and soundness of New York’s financial services industry.
· Companies must report applicable, material cybersecurity events, such as a data breach, with 72 hours.
· Institutions must also certify compliance annually by either a senior officer or the board of directors. The annual certification date is February 15 and must also include areas that have been identified for improvement.
To read ACFCS coverage of the original proposed rules, please click here.
Here is a list of the key dates for compliance:
- March 1, 2017 - 23 NYCRR Part 500 becomes effective.
- August 28, 2017 – 180-day transitional period ends. Covered Entities are required to be in compliance with requirements of 23 NYCRR Part 500 unless otherwise specified.
- September 27, 2017 – Initial 30-day period for filing Notices of Exemption under 23 NYCRR 500.19(e) ends. Covered Entities that have determined that they qualify for a limited exemption under 23 NYCRR 500.19(a)-(d) as of August 28, 2017 are required to file a Notice of Exemption on or prior to this date.
- February 15, 2018 - Covered Entities are required to submit the first certification under 23 NYCRR 500.17(b) on or prior to this date.
- March 1, 2018 – One-year transitional period ends. Covered Entities are required to be in compliance with the requirements of sections 500.04(b), 500.05, 500.09, 500.12 and 500.14(b) of 23 NYCRR Part 500.
- September 3, 2018 - Eighteen-month transitional period ends. Covered Entities are required to be in compliance with the requirements of sections 500.06, 500.08, 500.13, 500.14(a) and 500.15 of 23 NYCRR Part 500.
- March 1, 2019 - Two-year transitional period ends. Covered Entities are required to be in compliance with the requirements of 23 NYCRR 500.11.
The new rules also come as regulators focus more on financial crime compliance in a converged manner.
When New York released the new cyber rules in September 2016, they came on the heels of the U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN) guidance calling on the country’s banks to improve convergence across anti-money laundering (AML) cybersecurity, fraud and risk management units to better uncover "cyber-enabled fraud."
Covered entities must also begin reporting cybersecurity events to DFS through the Department’s online cybersecurity portal. In addition, DFS recently announced that covered entities can virtually file notices of exemption, which are due within 30 days of the determination that the covered entity is exempt.
“This day marks a significant milestone in protecting the financial services industry and the consumers they serve from the threat of cyber-attacks,” said Superintendent Maria Vullo.
“With cyber-attacks on the rise and comprehensive federal cybersecurity policy lacking for the financial services industry, New York is leading the nation with strong cybersecurity regulations,” she said.