The question gets asked quite frequently in regulatory circles: “Will the New York State Department of Financial Services bring an enforcement action under its cybersecurity regulation, and if so, when?” The probable answers are “yes” and “soon.” As discussed below, a number of traditional factors that animate decisions about enforcement point to a likelihood in the near term of an enforcement proceeding against one or more regulated entities for a violation of the DFS cybersecurity regulation, known as “Part 500.” (23 N.Y.C.R.R. §500.)
Background on Part 500
First issued in March 2017, Part 500 contained a two-year implementation period and has been fully effective for approximately nine months. Generally, regulated institutions must implement and maintain a “robust” cybersecurity program, including such core elements as:
• a written policy, approved by the board of directors or a senior officer, setting forth the procedures for protecting information systems and stored non-public information; and which includes a written incident response plan designed to promptly respond to and recover from a Cybersecurity Event;
• periodic risk assessments, updated as necessary to address changes to systems, types of data, or operations;
• continuous monitoring; or alternatively, annual penetration testing and bi-annual vulnerability assessments;
• notification to DFS within 72 hours of a qualifying Cybersecurity Event;
• a Chief Information Security Officer responsible for overseeing the cybersecurity program;
• risk-based limits on user access privileges to information systems, with periodic review of such privileges;
• written policies and procedures governing information systems and non-public information accessed or held by third-party service providers;
• effective controls such as multi-factor authentication and encryption of non-public information at rest and in transit; and
• annual certification of compliance by the board of directors or a senior officer of the entity.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
LexisNexis® and Bloomberg Law are third party online distributors of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® and Bloomberg Law customers are able to access and use ALM's content, including content from the National Law Journal, The American Lawyer, Legaltech News, The New York Law Journal, and Corporate Counsel, as well as other sources of legal information.
For questions call 1-877-256-2472 or contact us at [email protected]