We have previously reported about the upcoming New York Financial Services Cybersecurity Regulations [view related posts here and here]. On February 16, 2017, Governor Andrew M. Cuomo announced that “the first-in the-nation cybersecurity regulation to protect New York’s financial services industry and consumers from the ever-growing threat of cyber-attacks will take effect on March 1, 2017.”

The regulation is being touted by New York officials as being a “risk based” regulation, which requires financial services companies regulated by the New York State Department of Financial Services (DFS) to comply by implementing a cybersecurity program that will prevent and avoid cyber breaches.

In addition, the regulation requires that the top levels of the company instill a culture of compliance into the organization and be responsible for the cybersecurity program, including certifying compliance to the Superintendent on an annual basis.

The regulation has specific requirements that must be included in the cybersecurity program, including designating a Chief Information Security Officer and appropriate oversight of the program.

The Superintendent of DFS will enforce the regulations. The regulations go into effect on March 1, 2017, and covered entities will be required to annually prepare and submit a Certification of Compliance with the Superintendent starting February 15, 2018.