NY regulator urges firms to comply with cybersecurity regulation

Financial Services Superintendent Maria T. Vullo today reminded all entities regulated by the New York State Department of Financial Services (DFS) that they have to be in full compliance with the cybersecurity regulation by March 1, 2019.

Let’s recall that New York’s cybersecurity regulation became effective March 1, 2017. DFS, however, offered a two-year timeline for implementation of the regulation’s requirements, with a final compliance deadline of March 1, 2019. The final step in the implementation timeline requires regulated entities that use third-party providers to put in place policies and procedures ensuring the security of information systems and nonpublic information accessible to, or held by, such providers.

Superintendent Vullo today also reminded all regulated entities that the second certification of compliance covering the prior calendar year must be filed electronically via the DFS cybersecurity portal not later than February 15, 2019.

Under the cybersecurity rules, all banks, insurance companies, and other financial services institutions and licensees regulated by DFS are now required to have a cybersecurity program in place that is designed to protect consumers’ private data. The cybersecurity program has to perform a number of core cybersecurity functions, such as identification and assessment of cybersecurity risks regarding the Nonpublic Information stored on the Covered Entity’s Information Systems. The program also has to detect cybersecurity events, and respond to such events.

The entities also have to have a written policy or policies that are approved by the board or a senior officer. This policy has to address matters like data governance and classification, risk assessment, and incident response.

The firms affected by the new rules must have a Chief Information Security Officer to help protect data and systems. They also must secure protections of data at third-party providers. Furthermore, they need to have in place controls and plans to help ensure the safety and soundness of New York’s financial services industry.

Finally, covered entities and licensees must also report cybersecurity events to DFS through the Department’s online cybersecurity portal.

Cyber security is high on the agenda of the United States National Futures Association (NFA) too. Early in January this year, NFA clarified the amendments to its Information Systems Security Programs Interpretive Notice. The Association plans a raft of changes, including a requirement for members to inform it about certain cybersecurity-related incidents. Members (other than futures commission merchants for which NFA is not the DSRO) will have notify NFA of cybersecurity incidents related to their commodity interest business that:

• result in a loss of customer or counterparty funds or loss of a Member firm’s capital; or
• if a Member notifies its customers or counterparties of an incident pursuant to state or federal law.