What is being billed as a “first-in-the-nation cybersecurity regulation” put forth by New York Governor Andrew Cuomo takes effect on March 1 and will apply to all entities in the state that are regulated by New York’s Department of Financial Services (DFS).
According to a report, banks, trust companies, mortgage brokers and insurance companies will be required to put in place comprehensive cybersecurity programs to make sure their systems and those of their clients are safe within 180 days. When Cuomo announced the new legislation earlier this month, he hailed it as a “landmark regulation” that showcases New York’s position as the “financial capital of the world” and a leader in combating cyberattacks, which are happening at an increased pace.
Under the new regulation, financial entities have to conduct an initial risk assessment and design written policies that address specific cybersecurity risks that are identified by the audit. The board of directors and senior members of the company must sign off on the policies. The financial firms also have to engage in periodic penetration testing and vulnerability assessments; restrict access privileges and implement multi-factor authentication; engage qualified cybersecurity personnel; include written procedures designed to ensure the security of both internally and externally developed applications used by the covered entity; contain policies designed to ensure the security of systems that are accessible by third-party service providers and require ongoing cybersecurity training and monitoring of personnel, among other things.
What’s more, companies must notify the DFS within 72 hours after a breach has happened and submit a written statement to DFS by Feb. 15 of each year certifying compliance with the new regulation. Firms who do not comply with the new requirement will be exposed to “substantial enforcement and reputational risk,” including “substantial fines.”