The New York Department of Financial Services cybersecurity regulation 23 NYCRR 500 (the “Regulation”) came into effect in March 2017 and established four staggered compliance deadlines for its various requirements.
By the third deadline of September 3, 2018, Covered Entities are required to be in compliance with sections 500.06 (audit trails), 500.08 (application security), 500.13 (limitations on data retention), 500.14(a) (training and monitoring), and 500.15 (encryption of nonpublic information).
Summarized below are the key requirements of these sections:
Section 500.06: Audit Trails
Section 500.08: Application Security
Section 500.13: Limitations on Data Retention
Section 500.14(a): Training and Monitoring
Section 500.15: Encryption of Nonpublic Information
By February 15, 2019, Covered Entities must submit a certification of compliance with these requirements.
The last remaining compliance deadline is March 1, 2019, by which time Covered Entities must implement a Third-Party Service Provider Security Policy as provided in section 500.11.
For more information on Regulation, please see our November 2016, December 2016, January 2017, March 2017 and April 2017 blog posts.