Deadline passes for companies to comply with New York's cybersecurity regulation


Written by

Time’s up for major banks, insurers and many of the companies they work with to comply with a New York State cybersecurity regulation that requires more data protection measures than anywhere else in the country.

The New York State Department of Financial Services Cybersecurity Regulation goes into full effect Friday, two years after officials began to put it in place.

“The Department has provided a two year transitional period to address these risks and expects Covered Entities to have completed a thorough due diligence process on all Third Party Service Providers by March 1, 2019,” the department said in an informational page.

The rules require DFS-covered entities including financial firms, mortgage brokers, charities and Health Maintenance Organizations to use encryption, multi-factor authentication and tighter third party risk assessments, such as penetration tests, to limit outsiders’ access to corporate data. Covered entities also must notify regulators about a data breach within 72 hours and appoint an executive to lead corporate security efforts.

DFS has not provided details about possible penalties for compliance failures.

Many financial firms already have the necessary boxes checked, though numerous legal experts have predicted the regulation will echo throughout the private sector. The rule covers firms and international subsidiaries operating in New York City, along with the rest of the state, requiring firms to meet a higher security baseline.

By requiring third party assessments, penetration tests, and audit trails, the logic goes, lawyers and security practitioners may force their corporate partners to raise their own standards. The European Union’s General Data Protection Regulation, which also includes a 72-hour breach notification stipulation, similarly has forced a corporate security reckoning.

DFS meanwhile has not waited for the regulation to go into final effect to probe other instances of potential negligence or wrongdoing as it relates to security.

The regulator in recent weeks has sent letters to Facebook and mobile app developers after Gov. Andrew Cuomo’s office sought more information about technology companies leveraging user data without consent.

Last year, DFS was among the regulators which ordered Equifax to take remediation steps following the 2017 data breach that compromised information on nearly 150 million people.

-In this Story-

Facebook, General Data Protection Regulation, New York DFS