Enter to open, tab to navigate, enter to select
NYDFS Published Final Cybersecurity Rules
Practical Law Legal Update w-006-5593 (Approx. 4 pages)
NYDFS Published Final Cybersecurity Rules
by Practical Law Finance
| Published on 23 Feb 2017 • New York |
The New York State Department of Financial Services has published final cybersecurity regulations for banks, insurers, and other financial services institutions subject to its jurisdiction.
On February 16, 2017, the New York State Department of Financial Services (NYDFS) published final cybersecurity regulations applicable to New York State-regulated banks, insurers, and other financial services. These rules were initially proposed on September 13, 2016 and redrafted on December 28, 2016 (see Legal Update, NYDFS to Delay Implementaiton of Cybersecurity Rules). The rules will become effective on March 1, 2017.
The final rule includes several revisions to the original proposed rule (in addition to those added by the December 28, 2016 redraft), with substantive changes to, among other things, requirements for a covered entity's cybersecurity program, audit trail, and third-party service provider security policies. The newly revised sections include:
- Cybersecurity Program (Section 500.02). Under the final rules, a covered entity is free to adopt a custom tailored cybersecurity program that is appropriate to protect its information systems, nonpublic information, or business operations based on its risk assessment.
- Audit Trail (Section 500.06). Covered Entities are required to maintain records for systems designed to reconstruct financial transactions for a period of not fewer than five years, and for audit trails designed to detect and respond to a cybersecurity event for a period of not fewer than three years.
- Third Party Service Provider Security Policy (Section 500.11). The final rules specify that the Covered Entity maintain policies and procedures for Third Party Service Providers that limit access to both Information Systems and Nonpublic Information.
- Notices of Superintendent (Section 500.17). The final rules clarify that each Covered Entity is required to submit a written statement (in the form of Appendix A, attached to the final rules) of compliance to the superintendent that covers the prior calendar year. This statement is required to be submitted annually by February 15. Additionally, the final rules clarify the requirement of notification to the superintendent within 72 hours in the event that either of the following events occur (as opposed to both in the proposed rules):
- A cybersecurity event impacting the Covered Entity that requires notice to be provided to any government body, self-regulatory agency, or other supervisory body; or
- the cybersecurity event has a "reasonable likelihood of materially harming any material part of the normal operation(s) of the covered entity."
- Exemptions (Section 500.19). The final rules clarify that the exemptions enumerated in Section 500.19 are applicable to Covered Entities or their Affiliates located in New York. Additionally, Covered Entities that are captive insurance companies under Article 70 of New York Insurance Law that do not control or have access to Nonpublic Information other than the information relating to its parent company are generally exempt from much of the cybersecurity regulations.Covered Entities that qualify for an exemption under Section 500.19 are required to file a Notice of Exemption (in the form of Appendix B, attached to the final rules) within 30 days of the determination that the Covered Entity is exempt.The final rules add a section that specifically exempts the following Persons from the requirements of Part 500, provided that they do not otherwise qualify as a Covered Entity:
- persons subject to New York Insurance Law Section 1110;
- persons subject to New York Insurance Law Section 5904; and
- any accredited reinsurer or certified reinsurer that has been accredited or certified pursuant to 11 NYCRR § 125.
For more information on the NYDFS proposal, see Article, NY Department of Financial Services Cybersecurity Regulations for Banks and for more information on data privacy and cybersecurity in the US, see Practice Note, US Privacy and Data Security Law: Overview.