Deadline to Comply with New York's Cybersecurity Regulation Is Approaching
For entities regulated by the New York Department of Financial Services, the deadline for complying with the new Cybersecurity Requirements for Financial Services Companies, 23 NYCRR Part 500, is Monday, August 28, 2017. To assist, the Department recently updated its Frequently Asked Questions Regarding 23 NYCRR Part 500.
In short, and subject to certain exemptions, the Regulation generally applies to entities required to operate with a license or other formal authorization under New York's Banking Law, Insurance Law, or Financial Services Law. Among other things, the Regulation requires covered entities to:
- Maintain a cybersecurity program, conduct periodic risk assessments, maintain written policies and procedures to protect information systems and nonpublic information, ensure the security of information handled by third parties, designate a Chief Information Security Officer, and conduct training and monitoring.
- Employ certain technical measures—namely, penetration testing and vulnerability assessments, limitations on access privileges, multifactor authentication, encryption of nonpublic information at rest and in transit over external networks, and limitations on data retention.
- Develop an incident response plan.
- Notify the Superintendent of Financial Services within 72 hours of determining that a cybersecurity event occurred, and maintain an audit trail designed to detect and respond to such events. The Regulation defines a "cybersecurity event" as any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt, or misuse an information system or electronically stored nonpublic information.
Additionally, directors and/or senior officials must certify that they have reviewed reports and other documentation and that the covered entity's cybersecurity program complies with the Regulation. Although the Regulation does not specify penalties for noncompliance, it may be enforced under any applicable laws, including New York's banking, insurance, or financial services laws that contain civil and criminal penalties.
The Colorado Division of Securities has adopted similar rules, and other states may follow.
For further information, please contact your principal Firm representative or one of the lawyers listed below. General email messages may be sent using our "Contact Us" form, which can be found at www.jonesday.com/contactus/.
Richard J. Johnson
Mauricio F. Paez
Kerianne N. Tobitsch
Jones Day publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our "Contact Us" form, which can be found on our website at www.jonesday.com. The mailing of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.