The third transitional period for New York’s first-in-the-nation cybersecurity regulation for all Department of Financial Services (DFS) regulated entities ends on Sept. 4, 2018.
Beginning on Sept. 4, banks, insurance companies and other financial services institutions regulated by DFS are required to have come into compliance with several additional provisions of the cybersecurity regulation.
“These new protections, which include encryption, access controls and audit trails, add crucial tools to the regulation’s prior requirements in protecting the institutions and consumers,” said DFS Superintendent Maria T. Vullo in a press release issued by DFS.
Following the third compliance date, companies will be required to have commenced mandatory annual reporting to the board by the chief information security officer concerning critical aspects of the cybersecurity program, have an audit trail designed to reconstruct material financial transactions sufficient to support normal operations in the event of a breach and will need to have policies and procedures in place to ensure the use of secure development practices for IT personnel that develop applications for the covered entity.
Companies also must implement encryption to protect nonpublic information held or transmitted by the company. Entities are also required to have developed policies and procedures to ensure secure disposal of information that is no longer necessary for the business operations. They must have implemented a monitoring system as well that includes risk-based monitoring of all persons who access any of the company’s information systems or who use the company’s nonpublic information. DFS also has reminded regulated entities that under DFS’s regulation, if they utilize third-party service providers, they must evaluate the risk that any third-party service providers pose to the security of those systems and data and ensure those systems and data are protected by March 1, 2019.
Was this article valuable?
Here are more articles you may enjoy.