New York always is at the vanguard of innovation when it comes to making people’s lives better with such inventions as air conditioning, credit cards and, not to be forgotten, the Cronut. This year, New York again is at the forefront of change. On March 1, 2017, the New York Department of Financial Services (DFS) issued “first-in-the-nation” cybersecurity regulations. 23 NYCRR 500. Governor Andrew Cuomo stated that the regulations will help assure that the financial services industry “has the necessary safeguards in place in order to protect themselves and the New Yorkers they serve from the serious economic harm caused by these devastating cyber-crimes.”
The regulations impose stringent requirements on all businesses regulated by DFS, including banks, insurers, and other financial services companies. Subject entities, for example, will be required to appoint a chief information security officer, conduct regular cyber testing, provide cybersecurity awareness training, and implement multi-factor authentication. By August 28 of this year, covered businesses are required to meet certain of the regulations. By Feb. 15, 2018, companies are required to file a certification confirming compliance with the regulations. By March 2019, companies will be required to look beyond their own practices to ensure that vendors and third-party contractors also are meeting certain standards.