Financial Firms Face Sept. 4 Cybersecurity Deadline

New York-based financial services firms are running headlong into a deadline impacting their cybersecurity procedures. Failure to comply with the third phase of New York’s Cybersecurity Regulation by the September 4 deadline means these companies could face stiff penalties or the revocation of their licenses to operate in New York.

New York’s Cybersecurity Regulation, the first of its kind in the nation, imposes a series of staggered deadlines for compliance with its various requirements. (See generally, 23 NYCRR Part 500.)  The superintendent of New York’s Department of Financial Service (DFS) recently issued a reminder that September 4, 2018 is the regulation’s third transitional deadline:  https://www.dfs.ny.gov/about/press/pr1808081.htm

In our January newsletter, we discussed the potential impact of the Cybersecurity Regulation on banking, insurance and financial services “Covered Entities” (as defined in the regulation) and what was required s to comply with the first two transitional deadlines. See https://www.rivkinradler.com/publications/feb-15-deadline-looms-nys-banking-insurance-financial-services-industries/

By the September 4 third transitional deadline set forth in Section 500.22(b)(2), Covered Entities must have established the following:

• Systems and records to “reconstruct material transactions sufficient to support normal operations,” including “audit trails” designed to detect and respond to Cybersecurity Events. (Section 500.06 Audit Trail.)
• Procedures, guidelines and requirements to address the security of in-house developed applications and to assess the security of externally developed applications used by the Covered the Entity.  (Section 500.08 Application Security.)
• Policies and procedures for the “secure disposal” on a periodic basis of “Nonpublic Information” that is no longer necessary for the Covered Entity’s legitimate business purpose and is not otherwise required to be maintained under the law. (Section 500.13 Limitations on Data Retention.)
• Policies, procedures and controls to monitor the activities of authorized users and detect an authorized  user’s unauthorized access or misuse of Nonpublic Information. (Section 500.14 (a) Training and Monitoring.)
• Processes and controls to protect Nonpublic Information in the Covered Entity’s possession while in transit or at rest, including encryption or, if encryption is “infeasible,” such other steps and controls to protect the Nonpublic Information to be approved by the Covered Entity’s Chief Information Security Officer (CISO) on an annual basis. (Section 500.15 Encryption of Nonpublic Information.)

It is important for all banking, insurance and financial services entities to note that compliance with Section 500.13 Limitations on Data Retention is required even if the entity has filed for an “exemption” because:

1. of its size, annual earnings or assets (500.19(a)),
2. they do not control Nonpublic Information (500.19(c)) or
3. they are captive insurers that do not control Nonpublic Information other than relating to its corporate parent company (500.19(d)). See https://www.dfs.ny.gov/about/cybersecurity_faqs.htm

Finally, as part of its annual certification of compliance, under 23 NYCRR 500.17(b), due on or before February 15, 2019, the Covered Entity will have to include that it complied with the items due on September 4, 2018, as well as any updates or amendments it has made to the cybersecurity plan following the certification it filed on February 15, 2018.

Compliance with DFS’ Cybersecurity Regulation and its stringent deadlines for response to cyber events require a close partnership of information-technology and legal professionals, along with C-suite executives. If you are unsure of your company’s compliance with the Regulation or are concerned about meeting the September 4 deadline, contact your attorney.