Financial companies regulated by New York State Department of Financial Services have less than a month to comply with another round of cybersecurity rules, the agency’s head warned Wednesday.
The state’s financial services superintendent, Maria Vullo, said companies must be in compliance with a third phase of cybersecurity requirements, including encryption and heightened data breach protection, by Sept. 4. The requirements are part of a larger cybersecurity regulation mandate that began in March 2017, marking New York as the first state in the nation to issue such prescriptive laws.
“New York stepped into the void and took decisive action to ensure appropriate minimum standards protecting financial institutions’ data systems, including consumers’ sensitive personal information,” Vullo said in a press release. “These new protections, which include encryption, access controls and audit trails, add crucial tools to the regulation’s prior requirements in protecting the institutions and consumers.”
As part of the additional requirements, covered companies must have encryption to protect nonpublic data and ramp up audits of their cybersecurity program, including having an audit trail that can reconstruct financial transactions in the event of a breach. A company’s chief information officer must also report to the board annually about “critical aspects of the cybersecurity program,” the DFS said.
Covered companies also have to implement procedures on how they would securely dispose of data that is no longer useful to the business. And the monitoring system must include “risk-based monitoring” of anyone with access to the company’s information systems or its nonpublic data.
“Sept. 4th marks another important milestone in further protecting the financial services industry and the consumers they serve from the threat of cyberattacks thanks to DFS’s landmark cybersecurity regulation,” Vullo said.
The department also warned that covered companies that use a third-party service provider must evaluate the risk of that vendor and ensure their security systems and data are protected by March 1, 2019.