On August 8, 2018, the Superintendent of the New York State Department of Financial Services issued a reminder to DFS-regulated financial services businesses that starting September 4, 2018, they were required to be in compliance with the next set of requirements in the DFS cybersecurity regulations located at Part 500 of the New York State Financial Services regulations.
Subject to certain exemptions, New York State imposes cybersecurity requirements on all entities (Covered Entities) subject to the jurisdiction of the DFS, which include not only banks and insurers, but also any persons regulated by the DFS, including money transmitters, check cashers and businesses engaged in virtual currency business activity.
Starting September 4, 2018, these new requirements include the following:
Audit Trail: Covered Entities must securely maintain systems that are designed to reconstruct material financial transactions sufficient to support normal operations and obligations of the Covered Entity; and include audit trails designed to detect and respond to cybersecurity events that have a reasonable likelihood of materially harming any material part of the normal operations of the Covered Entity.
Application Security: Each Covered Entity’s cybersecurity program must include (i) written procedures, guidelines and standards designed to ensure the use of secure development practices for in-house developed applications utilized by the Covered Entity, and (ii) procedures for evaluating, assessing or testing the security of externally developed applications utilized by the Covered Entity.
Data Retention Limitations: Each Covered Entity must have policies and procedures for the secure disposal of certain nonpublic information that is no longer necessary for business operations or for other legitimate business purposes of the Covered Entity, unless the information otherwise is required to be retained by law or regulation, or where targeted disposal is not reasonably feasible due to the manner in which the information is maintained.
Training and Monitoring: As part of its cybersecurity program, each Covered Entity must implement risk-based policies, procedures and controls designed to monitor the activity of persons authorized to access the entity’s information system and to detect unauthorized access or use of nonpublic information.
Encryption of Nonpublic Information: As part of its cybersecurity program, each Covered Entity must implement and maintain encryption controls to protect nonpublic information held or transmitted by the Covered Entity.
The Superintendent also reminded Covered Entities of the next transitional compliance effective date of March 1, 2019, by which date a Covered Entity that uses third party service providers must have evaluated any risks that such businesses might pose to the security of the Covered Entity’s systems and data, and implemented policies and procedures to ensure that these systems and data are protected.