If you are a financial services company (bank, insurance company, asset manager) of reasonable size doing business in New York, this blog’s for you! Yesterday, I attended a meeting regarding the proposed New York State Cybersecurity Requirements For Financial Services Companies In this meeting, Counsel from the Robinson+Cole - Cybersecurity and Privacy Practice woke me up to the breadth and significance of this regulation. By June 30, 2017, all financial services companies doing business in NY State have to be in compliance with this regulation and in 2018 must begin annually submitting the following signed certification to the NY State Department of Financial Services:
Here is the abbreviated list of what you are going to need to do (please read the regulation for the complete, unabbreviated list):
• Within 5 years of enactment, have your data at rest encrypted
• Within 1 year of enactment, have data in transit encrypted
• Have the ability to reconstruct all financial and accounting records for at least six years should a cyber security event occur
• Designate a qualified Chief Information Security Officer (CISO) with responsibility for compliance with this regulation
• Employ sufficient cybersecurity personnel to manage risks and perform core cybersecurity functions, providing on-going training to these personnel to keep their skills up to date.
• Have multifactor authentication in place around internal systems and external networks
• Have a litany of policies and procedures in place around electronic and physical security, risk assessment, training, third parties, incident response, business continuity, and data destruction
• At least bi-annual reporting to your board of directors regarding the confidentiality, integrity, and availability of your organization’s information systems, policies and procedures, cyber risks, effectiveness of the cybersecurity program, exceptions to policies and procedures, and cyber security events that have occurred.
For the 1,900 or so organizations impacted by this regulation, you will find these requirements to be more proscriptive than the EU General Data Protection Regulation, Gramm-Leach Bliley Act, and Payment Card Industry rules. However, there is a substantial amount of overlap between these regulations. Organizations that have been effective in addressing these other rules and regulations using RSA Archer should be well on their way to demonstrating compliance with this NY State regulation and minimizing the risk of litigation from non-compliance.