The New York Department of Financial Services cybersecurity regulation 23 NYCRR 500 (the “Regulation”) came into effect in March 2017 and established four staggered compliance deadlines for its various requirements.

By the third deadline of September 3, 2018, Covered Entities are required to be in compliance with sections 500.06 (audit trails), 500.08 (application security), 500.13 (limitations on data retention), 500.14(a) (training and monitoring), and 500.15 (encryption of nonpublic information).

Summarized below are the key requirements of these sections:

Section 500.06: Audit Trails

•  Maintain systems that, to the extent applicable and based on the Covered Entity’s risk assessment, (1) are designed to reconstruct material financial transactions sufficient to support normal operations and obligations, and (2) include audit trails designed to detect and respond to Cybersecurity Events that have a reasonable likelihood of materially harming any material part of the normal operations of the Covered Entity.
•  Records required by (1) and (2) are subject to retention periods of 5 and 3 years, respectively.

Section 500.08: Application Security

•  Included in the cybersecurity program (1) written procedures, guidelines and standards designed to ensure the use of secure development practices for in-house developed applications, and (2) procedures for evaluating the security of externally developed applications.
•  The CISO must periodically review such procedures, guidelines and standards.    

Section 500.13: Limitations on Data Retention

•  Have policies and procedures for the periodic disposal of any Nonpublic Information identified in section 500.01(g)(2)-(3)that is no longer necessary for business operations or for other legitimate business purposes (except where such information is otherwise required to be retained by law or regulation, or where targeted disposal is not reasonably feasible due to the manner in which the information is maintained).

Section 500.14(a): Training and Monitoring

•  Implement risk-based policies, procedures and controls designed for monitoring authorized users, including detecting unauthorized access to Nonpublic Information.

Section 500.15: Encryption of Nonpublic Information

•  Based on the Covered Entity’s risk assessment, implement controls, including encryption, to protect Nonpublic Information held or transmitted by the Covered Entity both in transit over external networks and at rest.
•  If such encryption is determined to be infeasible, the Covered Entity may use effective alternative compensating controls reviewed and approved by the CISO.

By February 15, 2019, Covered Entities must submit a certification of compliance with these requirements.

The last remaining compliance deadline is March 1, 2019, by which time Covered Entities must implement a Third-Party Service Provider Security Policy as provided in section 500.11.

For more information on Regulation, please see our November 2016December 2016January 2017March 2017 and April 2017 blog posts.