How to Comply With New York’s Cybersecurity Regulation

New York this year became the first state to set minimum cybersecurity standards by which all banks, insurance companies and other financial services institutions regulated by the state’s Department of Financial Services must abide, says Paul Ferrillo, an attorney at New York law firm Weil, Gotshal & Manges.

New York’s “Cybersecurity Requirements for Financial Services Companies,” or 23 NYCRR Part 500.

Since Aug. 28, the “Cybersecurity Requirements for Financial Services Companies,” or 23 NYCRR Part 500 under New York state law, requires banks, insurance companies and other financial services institutions regulated by DFS to put in place a cybersecurity program, maintain written policies, report all “cybersecurity incidents” and ensure a CISO is in place, among other requirements (see Gauging the Impact of New York’s New Cyber Rules).

“Think of it … as a playbook or a guidepost,” Ferrillo says in an interview with Information Security Media Group. “What are the most important things that these entities should be doing? For instance, what policies should they implement and maintain, like a privacy policy, like asset inventory, like a security policy? Should they have as a designated officer like a chief information security officer … who’s responsible for the security of the data within the firm? Should they be doing vulnerability and risk assessments? The answer, of course, is yes, and a lot of them.”

In the interview (see audio link below photo), Ferrillo also discusses:

  • The new 72-hour breach notification requirement;
  • Overlaps between the U.S. regulation and other state and federal laws, and the EU’s General Data Protection Regulation;
  • Potential penalties any DFS cybersecurity regulation violators might face.

Ferrillo is counsel in Weil’s litigation department, where he focuses on complex securities and business litigation, and internal investigations. He also is part of Weil’s cybersecurity, data privacy and information management practice. Ferrillo has authored several books, including “Navigating the Cybersecurity Storm: A Guide for Directors and Officers.” He previously served as vice president and associate general counsel at insurance giant AIG.

DFS Cybersecurity Notification Requirements

Excerpt from New York’s “Cybersecurity Requirements for Financial Services Companies,” aka 23 NYCRR Part 500.

Source: Bank Info Security