Clifford Chance

The New York State Department of Financial Services (DFS) reminded regulated entities last week that the final transitional period for DFS's Cybersecurity Regulations ends March 1, 2019. By that date, banks, insurance companies, and other financial service providers regulated by DFS (Covered Entities) will be expected to be fully compliant with DFS's Cybersecurity Regulations (23 NYCRR Part 500).

Requirements from previous transitional periods

As we have discussed previously, DFS's Cybersecurity Regulations have been implemented through a series of four six-month transitional periods during which Covered Entities have been required to:

• Adopt risk-based cybersecurity policies and procedures to protect against data breaches and cyber attacks;
• Adopt an incident response plan that includes keeping audit trails and records that allow a Covered Entity to respond to incidents while minimizing disruptions to the entity's normal business;
• Adopt and implement policies and procedures for periodic secure disposal of nonpublic information that is no longer needed;
• Adopt and implement systems to encrypt nonpublic information to protect data from unauthorized access, disclosure, or destruction;
• Place limitations on access privileges to nonpublic information; and
• Name or hire a Chief Information Security Officer (CISO).
  

New requirements

During this final transitional phase ending March 1, Covered Entities will be required to put in place policies and procedures to protect nonpublic information accessible to or held by third party service providers. According to the Cybersecurity Regulations, Covered Entities will need to have:

• Procedures to identify and assess cybersecurity risks of third party service providers;
• Requirements that third party service providers have in place minimum cybersecurity practices to protect data; and
• Programs to monitor and evaluate the adequacy of the cybersecurity practices of third party service providers.
  

Second annual compliance certifications due February 15, 2019

DFS also reminded Covered Entities that the second annual certification of compliance with the Cybersecurity Regulations must be submitted on or by February 15, 2019. This certification covers the previous calendar year, meaning that the requirement for policies and procedures regarding data held by third party providers will not yet have been effective.

Conclusion and implications

DFS has stated previously that it will be incorporating cybersecurity into its examinations of Covered Entities, and with the end of this final transition period looming and increasing attention on data privacy, it would not be surprising to see cybersecurity-related enforcement actions and investigations in the near future. Therefore, Covered Entities should take this opportunity to review all of their data systems and policies and procedures to ensure that they are fully compliant with DFS's Cybersecurity Regulations.

At the same time, all companies should closely monitor what other states are doing in the cybersecurity space. In 2018, at least 11 states added cybersecurity-related laws to their books, including California, which we have written about previously. There is little doubt that more will come in 2019. All of this will inform how DFS approaches enforcement of its own regulations, so companies watching other states will be ahead of the curve in implementing and demonstrating compliance.