Imminent deadlines loom under both the New York Department of Financial Services' Cybersecurity Regulations for Financial Services Companies (23 NYCRR Part 500, "the Cybersecurity Regulations") and its Registration Requirements & Prohibited Practices For Credit Reporting Agencies (23 NYCRR Part 201, "the Credit Reporting Agency Requirements"). This Stroock Special Bulletin provides an overview of those deadlines.

The Cybersecurity Regulations

The eighteen-month transitional period under the Cybersecurity Regulations expires on September 4, 2018.

The Cybersecurity Regulations went into effect March 1, 2017, with phased implementation dates. Some of the earlier implementation deadlines required Covered Entities – "any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law" – to register with the NYDFS by February 5, 2018.

Effective September 4, 2018, Covered Entities will need to comply with the following provisions (in addition to those already required):

  • Section 500.06 Audit Trail.
    Implement and maintain an audit trail designed to: (1) reconstruct material financial transactions to support normal operations; and (2) detect and respond to Cybersecurity Events;
  • Section 500.08 Application Security.
    Adopt written procedures to: (1) ensure the use of secure development practices for in-house developed applications; and (2) evaluate the security of externally developed applications;
  • Section 500.13 Limitations on Data Retention.
    Adopt data retention policy, including for the secure disposal of nonpublic information;
  • Section 500.14 Training and Monitoring.
    Implement policies and procedures to monitor authorized users for unauthorized access or use of, or tampering with nonpublic information (the requirement for cybersecurity awareness training for employees having been previously required); and
  • Section 500.15 Encryption of Nonpublic Information.
    Implement controls, including encryption, to protect nonpublic information at rest and in transit.

Notably, the final phase of implementation requires compliance with Section 500.11 Third Party Service Provider Security Policy by March 1, 2019. In general, Covered Entities must implement written policies and procedures to ensure the security of information systems and nonpublic information that are "accessible to, or held by, Third Party Service Providers." The policies must include "guidelines for due diligence and/or contractual protections relating to Third Party Service Providers," including whether certain of the provisions applicable to Covered Entities, such as encryption, should flow through to third party service providers.

The Credit Reporting Agency Requirements

The Credit Reporting Agency Requirements require every consumer credit reporting agency that, within the previous 12-month period, has assembled, evaluated, or maintained a consumer credit report on one thousand or more New York consumers, to register with the NYDFS by September 15, 2018.

Additionally, and potentially more onerous, is the obligation that such agencies be required to comply with the Cybersecurity Regulations of Part 500 applicable to financial services companies. As applied to credit reporting agencies, these requirements are phased, with an initial compliance deadline of November 1, 2018. As of November 1, agencies will need to comply with the following provisions:

  • Section 500.02 Cybersecurity Program.
    Maintain a cybersecurity program designed to protect the confidentiality, integrity and availability of the Covered Entity's information system, including detection of, response to and recovery from a cybersecurity event;
  • Section 500.03 Cybersecurity Policy.
    Implement and maintain a written policy, approved by a senior officer or the board of directors, for the protection of its information systems and nonpublic information, addressing at least 14 separate topics;
  • Section 500.07 Access Privileges.
    Implement and periodically review user access privileges;
  • Section 500.10 Cybersecurity Personnel and Intelligence.
    Utilize and train qualified cybersecurity personnel;
  • Section 500.16 Incident Response Plan.
    As part of the cybersecurity program, establish a written incident response plan, which must address certain enumerated aspects;
  • Section 500.17 Notices to Superintendent.
    Notify the superintendent as promptly as possible but in no event later than 72 hours from a determination that a cybersecurity event has occurred.

The remaining provisions are phased in on February 28, 2019, August 31, 2019 and December 31, 2019.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.