New York Adopts Cybersecurity Requirements for Financial Services Companies
New York has adopted provisions regarding cybersecurity requirements for financial services companies.
The provisions are effective as of March 1, 2017, and covered entities “shall have 180 days from the effective date of this Part to comply with the requirements set forth in this Part, except as otherwise specified.” There are certain specified provisions with additional transitional periods, ranging from one to two years.
In part, covered entities “shall maintain a cybersecurity program designed to protect the confidentiality, integrity and availability of the Covered Entity’s Information Systems.”
Covered entities “shall implement and maintain a written policy or policies, approved by a Senior Officer or the Covered Entity’s board of directors (or an appropriate committee thereof) or equivalent governing body, setting forth the Covered Entity’s policies and procedures for the protection of its Information Systems and Nonpublic Information stored on those Information Systems.”
Each covered entity “shall designate a qualified individual responsible for overseeing and implementing the Covered Entity’s cybersecurity program and enforcing its cybersecurity policy (for purposes of this Part, ‘Chief Information Security Officer’ or ‘CISO’).”
The provisions also require that covered entities “utilize qualified cybersecurity personnel of the Covered Entity, an Affiliate or a Third Party Service Provider sufficient to manage the Covered Entity’s cybersecurity risks and to perform or oversee the performance of the core cybersecurity functions specified in section 500.02(b)(1)-(6) of this Part.”
In addition, covered entities shall perform penetration testing and vulnerability assessments, securely maintain an audit trail, and perform risk assessments.