Feb 72018

NYDFS Cybersecurity Regulations: First Annual Compliance Certification Due February 15, 2018

Charlene McHugh
, , ,

Companies that are subject to New York’s Cybersecurity Regulation are moving quickly to finalize their compliance obligations under the Cybersecurity Regulation, as the second “due date” quickly approaches – February 15, 2018.   By August 28, 2017, Covered Entities were required to have a cybersecurity program in place, as well as a board (or senior officer) approved written cybersecurity policy and Chief Information Security Officer to help protect data and systems.  They also became obligated to report cybersecurity events to the NYDFS. 

By February 15, 2018, Covered Entities must comply with additional obligations under the NY Cybersecurity Regulation including: implementation of a formal, written Cybersecurity Program and Cybersecurity Policy, limitations/restrictions on access privileges to information systems that provide access to nonpublic information, utilization of qualified cybersecurity personnel (internally or through qualified third party providers), designation of a new chief information security officer and development of a written Incident Response Plan.  By February 15, 2018, Covered Entities must file their first annual certification of compliance with the Cybersecurity Regulations.

The NYDFS has been assisting Covered Entities with compliance questions through its  frequently asked questions (“FAQs”) and answers on the NYDFS website, originally published on June 20, 2017 and updated most recently on December 12, 2017.  The now 26 questions in the FAQs section address the types of entities that fall within the scope of the Cybersecurity Regulations, the notice requirements attending a Cybersecurity Event (as defined in the regulations), the annual certification requirement, and additional specific elements of the rules.

The NYDFS Cybersecurity Regulations (published at 23 NYCRR 500.01) set forth the minimum requirements for NYDFS-regulated entities to address cybersecurity risk.  For background, see our report, “NYDFS issues final cybersecurity regulations, setting new industry standard for cybersecurity controls”.

Charlene McHugh

cmchugh@sidley.com

You might also like
New EU Cyber Law for the Financial Services Industry with Significant Impact on ICT Service Providers

The new EU Regulation on Digital Operational Resilience for the Financial Sector (DORA) recently entered into force. DORA establishes cybersecurity requirements for information and communication technology (ICT) systems supporting the business processes of financial entities and represents a paradigm shift for the ICT sector.  Critical ICT third-party service providers, who are providing services to regulated financial entities, will also be directly regulated under DORA and subject to regulatory supervision by a regulator to be established under DORA (a so-called ‘Lead Overseer’).

Washington State Enacts My Health My Data Act, Broadly Regulating Health-Related Data With a Private Right of Action

On April 27, 2023, Washington Gov. Jay Inslee, a Democrat, signed into law the state’s My Health My Data Act (the Act), which will become effective on March 31, 2024 (June 30, 2024, for small businesses). Despite its name, this is a comprehensive privacy bill that will affect many entities, including those outside of the traditional “health” context. The rights and obligations may apply to individuals other than Washington residents, as the law defines consumers as including persons whose data is merely collected or otherwise processed in the state.

Regulatory Update: National Association of Insurance Commissioners Spring 2023 National Meeting
The National Association of Insurance Commissioners (NAIC) held its Spring 2023 National Meeting (Spring Meeting) March 21–25, 2023. This Sidley Update summarizes the highlights from this meeting in addition to interim meetings held in lieu of taking place during the Spring Meeting. Highlights include continued development of accounting principles and investment limitations related to certain types of bonds and structured securities, continued discussion of considerations related to private equity (PE) ownership of insurers, new initiatives to address innovation and technology in the insurance sector, and continued development of a new consumer privacy protections model law.