The New York State Department of Financial Services (“DFS”) Cybersecurity Regulation (“Regulation”) took effect on March 1, 2017, and applies to those entities operating or required to operate under New York banking, insurance and finance laws (“Covered Entities”). Covered Entities should have been in compliance with portions of the Regulation as of August 28, 2017, for which they certified compliance on February 15, 2018.

The next round of compliance deadlines is fast approaching. By September 3, 2018, Covered Entities are to have the following in place:

  1. Audit Trail (500.06). Covered Entities must maintain systems designed to reconstruct material financial transactions sufficient to support normal operations and obligations of the Covered Entity (and keep such records no fewer than five years). They must also include audit trails to detect and respond to cybersecurity events that have a reasonable likelihood of materially harming any material part of the normal operations of the Covered Entity (and to keep such records for no fewer than three years).
  2. Application Security (500.08). Maintenance of policies and procedures is required to foster secure development practices for in-house developed applications and procedures for evaluating, assessing or testing the security of externally developed applications. The DFS issued a FAQ on this particular section, noting that compliance with the Regulation should be addressed in acquisitions and mergers involving Covered Entities.
  3. Limitations on Data Retention (500.13). Policies and procedures are required for the secure disposal on a periodic basis of any non-public information (“NPI”) (as defined under the Regulation) that is no longer necessary for business operations or for other legitimate business purposes of the Covered Entity, except where such information is otherwise required to be retained by law or regulation, or where targeted disposal is not reasonably feasible due to the manner in which the information is maintained.
  4. Training and Monitoring (500.14). Further development of policies is required for the continued monitoring of authorized users and detection of unauthorized users, along with continued cybersecurity awareness training.
  5. Encryption of NPI (500.15). Controls, including encryption, should be employed to protect NPI held or transmitted by the Covered Entity both in transit over external networks and at rest. To the extent encryption of NPI in transit is infeasible, a Covered Entity may instead secure such NPI using effective alternative compensating controls reviewed and approved by the Chief Information Security Officer (“CISO”). If compensating controls are used, the CISO should review them annually.

Note that on or before February 15, 2019, Covered Entities must submit a certification of compliance with respect to the requirements above, in addition to those requirements that were subject to the first certification made on or before February 15, 2018. (500.17(b)).

Next on the horizon is the Third-Party Service Provider Security Policy (500.11), which must be in place by March 1, 2019. After that milestone, Covered Entities must submit a certification to the Superintendent of Financial Services on or before February 15 of each year. (500.17(b)).

For any questions regarding the Regulation, or if you require assistance in preparing policies or training on the above requirements, please contact Jennifer A. Beckage at (716) 510-0306 or