ALBANY, N.Y.—The New York Department of Financial Services (NYDFS) has issued a reminder for regulated entities required to comply with the state’s cybersecurity requirements that the third transitional period ends Sept. 4.
Citing the NYDFS rule, Buckley Sandler said that banks, credit unions, insurance companies, and other financial services institutions that are required to implement a cybersecurity program to protect consumer data must be in compliance with additional provisions of the cybersecurity regulation by this date.
As of Sept. 4, a covered entity must start presenting annual reports to the board by the chief information security officer on “critical aspects of the cybersecurity program;” create an “audit trail designed to reconstruct material financial transactions” in case of a breach; institute policies and procedures to ensure the use of “secure development practices for IT personnel that develop applications;” and implement encryption to protect nonpublic information it holds or transmits.
Covered entities are also required to have policies and procedures in place “to ensure secure disposal of information that is no longer necessary for the business operations, and must have implemented a monitoring system that includes risk based monitoring of all persons who access or use any of the company’s information systems or who access or use the company’s nonpublic information,” Buckley Sandler reported.
Covered entities are further reminded that they have until March 1, 2019, to assess the risks presented by the use of a third-party service provider to ensure the protection of their security systems and data