New York New Cybersecurity Regulations

The State of New York’s Department of Financial Services (NYDFS) finalized its new cybersecurity regulations, which took effect on March 1, 2017. The new rules have a longer reach, affecting not only the financial institutions doing business in New York state but also health insurers. This includes companies who provide information to health insurers such as medical practitioners, laboratories, and hospital facilities.

The new regulations enforced by NYDFS also aims to regulate small organizations with less-developed cybersecurity infrastructure, such as charitable foundations, foreign bank branches, certain types of mortgage bankers, and providers of maintenance contracts and extended warranties on consumer products.

At this point, New York’s cybersecurity regulations are the most stringent rules in existence in the country. Thus, other countries, industries, and states have been keeping a close eye on the impact of the new rules, the challenges they present, and what future amendments can be expected.

“With cyber-attacks on the rise and comprehensive federal cybersecurity policy lacking for the financial services industry, New York is leading the nation with strong cybersecurity regulation requiring, among other protective measures, set minimum standards of a cybersecurity program based on the risk assessment of the entity, personnel, training and controls in place in order to protect data and information systems,” said in an interview by Financial Services Superintendent Maria T. Vullo

Here are the new requirements stipulated in the NY DFS 23 NYCRR 500:

A cyber security plan which must be reviewed annually by the Board of Directors of each organization and signed off by a C-level officer.
Notification of NYDFS of any material cybersecurity incident within 72 hours.
Employment of Chief Information Security Officer (CISO) to lead cybersecurity programs.
Annual penetration testing of relevant information systems, and quarterly vulnerability assessments of those systems.
Detailed provisions to “log system events including, at a minimum, access and alterations made to the audit trail systems by the systems or by an Authorized User, and all system administrator functions performed on the systems.”
Six-year record retention requirements and secure disposal on a periodic basis of any Nonpublic Information.
Significant third-party requirements. Third parties accessing covered customer information must: certify their own cyber-security program, notify a covered customer organization immediately of any security breach, must warrant that their products and services are free of various security threats.
Two-factor authentication and encryption “to protect nonpublic information in transit and at rest.”
Significant penalties for non-compliance and significant costs to help consumers affected by security breaches, including providing identity protection services to people whose data has been compromised.

Implications of New Cybersecurity Rules

While the major driver for the new regulation is to ensure safe and secure transaction systems, it can’t be denied that document and messaging also plays a major role in the enactment of this regulatory compliance regimen.

The best way for companies to avoid non-compliance is to make sure that no personally identifying information is created in the first place. But if it is created unintentionally, then the information should be moved to a dedicated archive system immediately to avoid accidental data leak.

The encryption of nonpublic information can also be challenging for some companies who already have an existing archiving platform in place but lacks the necessary security feature to protect archived information. But while the idea of mass migration might be challenging, the risks of noncompliance with the new regulations is far more threatening to the organization.

It can take a while before organizations can achieve compliance with the specific requirements by NYDFS. But this can also be viewed as an opportunity for companies to upgrade their legacy archive system and leverage the advantage of newer platforms that are built to adapt with the ever-changing scope of regulatory requirements across different industries.

Conclusion

With the new NYDFS cybersecurity regulations, it has become more important for companies – specifically the smaller and more specialized firms – to reassess their archiving practices and platforms.

TeleMessage’s Mobile Archiver solution is a platform that can effectively address compliance, regulatory and eDiscovery response requirements. Our mobile archiving offering securely captures content from mobile carriers and mobile devices for a variety of ownership models (BYOD, CYOD, and employer-issued).

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Products

About

RESOURCES

Developer APIs & Docs

Contact Us

FIND US HERE

Solutions

Verticals

Blog

Customers