In January 2017, the New York Department of Financial Services adopted a rule requiring covered entities to adopt a comprehensive cybersecurity program. In particular, the cybersecurity program must:
- identify internal and external risks to Nonpublic Information (NPI);
- use defensive infrastructure, policies, and procedures, to protect Information Systems;
- detect Cybersecurity Events;
- respond to, mitigate the effects of, and recover from Cybersecurity Events; and
- fulfill all reporting obligations.1
Other requirements of the rules include:
- All Covered Entities must also implement written policies and procedures concerning risk assessment and conduct risk assessments of their Information Systems periodically, and must implement a written incident response plan to respond to and recover from any Cybersecurity Event that affects the Covered Entity’s Information Systems or business.2
- All Covered Entities also must implement written policies and procedures concerning Third-Party Service Providers.3
- Covered Entities must designate a qualified individual to oversee and implement the Covered Entity’s cybersecurity program and enforce its cybersecurity policy, serving as Chief Information Security Officer (CISO) or in a comparable position.4
The rules also include a number of technical, reporting, and recordkeeping requirements of which covered entities must be aware. In particular, the rules impose a 72-hour notification requirement for certain Cybersecurity Events that meet threshold triggers.5
1 N.Y. Codes R. & Regs. tit. 23, § 500 (2017).
2 Id. § 500.2-3, 16.
3 Id. § 500.11.
4 Id. § 500.4.
5 Id. § 500.17.