The New York Department of Financial Services cybersecurity regulation 23 NYCRR 500 (the “Regulation”) came into effect in March 2017 and established four staggered compliance deadlines for its various requirements.
By the third deadline of September 3, 2018, Covered Entities are required to be in compliance with sections 500.06 (audit trails), 500.08 (application security), 500.13 (limitations on data retention), 500.14(a) (training and monitoring), and 500.15 (encryption of nonpublic information).
Summarized below are the key requirements of these sections:
Section 500.06: Audit Trails
Section 500.08: Application Security
Section 500.13: Limitations on Data Retention
Section 500.14(a): Training and Monitoring
Section 500.15: Encryption of Nonpublic Information
By February 15, 2019, Covered Entities must submit a certification of compliance with these requirements.