NY | Financial Services Superintendent Maria T. Vullo today reminded all Department of Financial Services (DFS) regulated entities covered by DFS’s landmark cybersecurity regulation that the third transitional period of New York’s first-in-the-nation cybersecurity regulation ends on September 4, 2018. Beginning on September 4, 2018, banks, insurance companies, and other financial services institutions regulated by DFS are required to have come into compliance with several additional provisions of the cybersecurity regulation that are vital to the governance and components of a robust financial services cybersecurity program.
Starting September 4th, companies will be required to have commenced mandatory annual reporting to the board by the Chief Information Security Officer concerning critical aspects of the cybersecurity program, have an audit trail designed to reconstruct material financial transactions sufficient to support normal operations in the event of a breach, and will need to have policies and procedures in place to ensure the use of secure development practices for IT personnel that develop applications for the Covered Entity. Companies also must implement encryption to protect nonpublic information held or transmitted by the company. Entities are also required to have developed policies and procedures to ensure secure disposal of information that is no longer necessary for the business operations, and must have implemented a monitoring system that includes risk based monitoring of all persons who access or use any of the company’s information systems or who access or use the company’s nonpublic information.
DFS also reminds regulated entities that under DFS’s regulation, if they utilize Third-Party Service Providers, they must evaluate the risk that any Third-Party Service Providers pose to the security of those systems and data and ensure those systems and data are protected by March 1, 2019.
Click here for more information.