Financial Services Superintendent Maria T. Vullo today reminded all Department of Financial Services (DFS) regulated entities covered by DFS’s landmark cybersecurity regulation that the third transitional period of New York’s first-in-the-nation cybersecurity regulation ends on September 4, 2018. Beginning on September 4, 2018, banks, insurance companies, and other financial services institutions regulated by DFS are required to have come into compliance with several additional provisions of the cybersecurity regulation that are vital to the governance and components of a robust financial services cybersecurity program.

“September 4th marks another important milestone in further protecting the financial services industry and the consumers they serve from the threat of cyber-attacks thanks to DFS’s landmark cybersecurity regulation,” said Superintendent Vullo. “New York stepped into the void and took decisive action to ensure appropriate minimum standards protecting financial institutions’ data systems, including consumers’ sensitive personal information. These new protections, which include encryption, access controls and audit trails, add crucial tools to the regulation’s prior requirements in protecting the institutions and consumers.”

Starting September 4th, companies will be required to have commenced mandatory annual reporting to the board by the Chief Information Security Officer concerning critical aspects of the cybersecurity program, have an audit trail designed to reconstruct material financial transactions sufficient to support normal operations in the event of a breach, and will need to have policies and procedures in place to ensure the use of secure development practices for IT personnel that develop applications for the Covered Entity. Companies also must implement encryption to protect nonpublic information held or transmitted by the company. Entities are also required to have developed policies and procedures to ensure secure disposal of information that is no longer necessary for the business operations, and must have implemented a monitoring system that includes risk based monitoring of all persons who access or use any of the company’s information systems or who access or use the company’s nonpublic information.

DFS also reminds regulated entities that under DFS’s regulation, if they utilize Third-Party Service Providers, they must evaluate the risk that any Third-Party Service Providers pose to the security of those systems and data and ensure those systems and data are protected by March 1, 2019.

For further information about New York’s cybersecurity regulation, please see the frequently asked questions on the DFS website.