Today marks the first deadline for entities regulated by the New York Department of Financial Services (“NYDFS”) to comply with certain provisions of the recent NYDFS cybersecurity rules. The NYDFS cybersecurity rules taking effect is a significant event for NYDFS-regulated entities, and for any company facing cybersecurity concerns. The unique combination of (1) concrete cybersecurity requirements (e.g., access controls), (2) a senior-level certification obligation, and (3) the 72-hour notice requirement, will likely have a lasting impact on cybersecurity regulations and expectations in general. Covered companies now must have the following measures in place:
- Designated a Chief Information Security Officer (“CISO”);
- Implemented the required elements of a cybersecurity program, cybersecurity policies, and an incident response plan;
- Regulated access privileges for information systems;
- Ensured that required cybersecurity personnel are in place; and
- Prepared to notify the NYDFS within 72 hours of certain cybersecurity events.
The rules also require that companies conduct a risk assessment, but that deadline (along with the deadline for the CISO report to the Board, training, penetration testing, and multifactor authentication) is not until March 1, 2018. However, because of the express connections between the risk assessment and many of the obligations set forth in the rules, many companies are aiming to conduct their risk assessment early, so that it can be factored into the certification process that must be completed by February 15, 2018.
The cybersecurity events that trigger the 72-hour notice requirement include those that:
- Require notice to be provided to any other government body, self-regulatory agency, or supervisory body; or
- Create a reasonable likelihood of materially harming any part of the normal operation of your company.
Beyond those NYDFS-regulated entities that are directly subject to the rules, thousands of vendors of those firms will be required to comply with the rules because the companies that they serve are obligated to impose the requirements on their vendors.
More broadly, as discussed in our June Webcast about NYDFS cyber compliance, the rules may become industry best practices for cybersecurity. As a result, many companies that are not subject to the rules will, for a variety of reasons, want to be able to say that they meet the NYDFS requirements.