On March 1, 2017, the New York State Department of Financial Services’ Cybersecurity Requirements for Financial Services Companies (the “Regulation”) came into effect. The Regulation establishes minimum cybersecurity standards for banks, insurance companies and financial services companies regulated by New York State law to ensure the safety and soundness of New York State’s financial services industry and to protect consumers.

The Regulation requires each regulated entity to assess its cybersecurity risks and design a cybersecurity program that addresses those risks in a robust fashion. The Regulation also requires a regulated entity’s senior management to take cybersecurity seriously and to be responsible for the entity’s cybersecurity program.

The key requirements of the Regulation include:
(1)  a comprehensive risk-based cybersecurity program;
(2)  a detailed, written cybersecurity policy;
(3)  designation of a senior officer responsible for overseeing, implementing and enforcing the cybersecurity program and policy;
(4)  periodic risk assessments;
(5)  engagement of qualified, trained and informed cybersecurity personnel;
(6)  cybersecurity policies/procedures for engaging third party service providers;
(7)  use of multi-factor authentication or equivalent risk-based authentication or controls; and
(8)  other miscellaneous requirements, including the use of encryption and a suitable cybersecurity incident response plan.

The Regulation is consistent with cyber risk management guidance issued by Canadian financial industry regulators and self-regulatory organizations. The Regulation is a helpful benchmark for Canadian organizations of all kinds and sizes.

Read more here.