On Monday, the first of several cybersecurity requirements for entities regulated by the New York Department of Financial Services (DFS) came into effect. As discussed at length in our prior alerts, the requirements broadly cover all entities operating under or required to operate under DFS licensure, registration, or charter, or which are otherwise DFS-regulated, as well as, by extension, unregulated third-party service providers to regulated entities.
The regulations that came into effect include some of the most onerous provisions of the law. Several of the provisions focusing on people and process controls became effective, including:
- The maintenance of a cybersecurity program based on periodic risk assessments and designed to identify and assess risks, protect information systems and nonpublic information, detect, respond to, and recover from cyber events, and fulfill all reporting obligations. Section 500.02.
- The maintenance of a set of written policies and procedures designed to protect information systems and nonpublic information, including a written incident response plan. These procedures must also provide for the notification of DFS within 72 hours of a determination that a cybersecurity event has occurred. Sections 500.03, 500.16, and 500.17.
- The designation of a chief information security officer to oversee the cybersecurity program and other qualified cybersecurity personnel to manage cyber risks. Sections 500.04 and 500.10.
In addition, two difficult-to-implement technology security controls are included in those that became effective Monday:
- Access controls (that is, the limitation of user's access to that necessary). Section 500.07.
- Data minimization and secure disposal. While secure disposal is relatively straightforward, limiting data retention to a period that is no longer than necessary for business operations or other legitimate business purposes can be difficult and requires an extensive and holistic data classification and information governance program. Section 500.13.
Although some of the other provisions do not become effective for another six months to a year, this first effectiveness deadline has shown that even focused and risk-based cybersecurity regulations can cause a huge shift in how companies manage and oversee cybersecurity. Enforcement by DFS will show the flexibility and focus in these regulations, but until then companies will need to be prepared to enact even the most difficult of these controls.