Companies subject to New York’s Cybersecurity Regulation are acting quickly to finalize their compliance obligations as the fifth “due date,” September 4, 2018, quickly approaches.
By September 4, 2018, Covered Entities must ensure that their cybersecurity programs have in place certain additional safeguards:
- an audit trail that shows detection of and response to material cybersecurity events;
- written security procedures, guidelines, and standards for the development of in-house applications and for the evaluation and testing of externally developed applications;
- data retention policies and procedures for the disposal on a periodic basis of nonpublic information no longer necessary for business operations;
- risk-based policies, procedures, and controls to monitor the activity of authorized users and detect unauthorized access; and security controls, such as encryption, to protect non-public business relations and personal information.
Notably, for this upcoming deadline, Covered Entities that have received a limited exemption must still comply with the regulatory provision regarding data retention policies and procedures for the periodic disposal of nonpublic information.
To prepare for the latest deadline, companies should ensure that cyber events and incident audit trails are activated and being retained; finalize policies for addressing security risks in in-house application development and in the use of external applications; finalize data retention policies and schedules; finalize policies for monitoring authorized users; and consider and implement security controls as may be necessary, such as feasible encryption or effective alternative compensating controls, to protect non-public information.
Looking ahead, Covered Entities will be required to meet one final compliance deadline for the NYDFS on March 1, 2019. By March 1, 2019, Covered Entities must have security policies in place that govern the security of third-party service providers and, by that deadline, must implement such written security policies.
The NYDFS has been assisting Covered Entities with compliance questions through its frequently asked questions (“FAQs”) and answers on the NYDFS website, originally published on June 20, 2017 and updated most recently on August 9, 2018. The now 36 questions in the FAQs section address key topics such as the types of entities subject to the Cybersecurity Regulation (which now include HMOs and continuing care retirement communities), provisions that must be complied with even if an entity receives a limited exemption, obligations that a Covered Entity has when it merges with or acquires a new company, the notice requirements pertaining to a cybersecurity event, the annual certification requirement, requirements related to the CISO, the effective dates for various provisions, and third party service providers’ obligations under the regulation.
The NYDFS Cybersecurity Regulation (published at 23 NYCRR 500.01) sets forth the minimum requirements for NYDFS-regulated entities to address cybersecurity risks. For more background on the regulation, see our report, “NYDFS issues final cybersecurity regulations, setting new industry standard for cybersecurity controls.”
To date, Covered Entities have addressed several compliance deadlines for the NYDFS as it phased in its requirements over the past year and a half:
- By August 28, 2017, Covered Entities were required to have a cybersecurity program in place as well as a board (or senior officer) approved written cybersecurity policy and Chief Information Officer to help protect data and systems. They also became obligated to report cybersecurity events to the NYDFS.
- By September 27, 2017, Covered Entities that determined that they qualified for a limited exemption were required to file a Notice of Exemption with the NYDFS.
- By February 15, 2018, Covered Entities were required to comply with additional obligations under the regulation, including: implementation of a formal, written cybersecurity program and cybersecurity policy, limitations/restrictions on access privileges to information systems that provide access to nonpublic information, utilization of qualified cybersecurity personnel (internally or through qualified third party providers), designation of a new chief information security officer, and development of a written Incident Response Plan. Covered Entities were also required to file their first annual certification of compliance with the Cybersecurity Regulation.
- By March 1, 2018, Covered Entities were required to have a CISO responsible for preparing an annual report covering an organization’s information security policies, procedures, cyber risks, and the effectiveness of its cybersecurity programs; to design and implement a cybersecurity program that continually monitors and tests the organization’s vulnerabilities; and to use multi-factor authentication. Covered Entities were also required to provide regular cybersecurity awareness training for all personnel.