On March 1, 2018, the one year transition period within which banks, insurance companies, and other financial services institutions and licensees regulated by the New York Department of Financial Services (“Covered Entities”)  must have implemented a cybersecurity program ends. By March 1, the Covered Entities must be in compliance with the following requirements:

23 NYCRR 500 §§:

  • 04(b): Chief Information Security Officer (“CISO”) – Each Covered Entity must have designated a qualified individual responsible for overseeing and implementing the Covered Entity’s cybersecurity program and enforcing its cybersecurity policy. The CISO of each Covered Entity shall report in writing at least annually to the Covered Entity’s board of directors or equivalent governing body. The CISO shall report on the Covered Entity’s cybersecurity program and material cybersecurity risks.
  • 05:  Penetration Testing and Vulnerability Assessments – The cybersecurity program for each Covered Entity shall include monitoring and testing, developed in accordance with the Covered Entity’s risk assessment. The monitoring and testing shall include continuous monitoring or periodic penetration testing and vulnerability assessment.
  • 09: Risk Assessment – Each Covered Entity shall conduct a periodic risk assessment of the Covered Entity’s information systems sufficient to inform the design of the cybersecurity program as required by this part. The risk assessment shall be carried out in accordance with written policies and procedures and shall be documented.
  • 12: Multi-Factor Authentication –  Based on its risk assessment, each Covered Entity shall use effective controls, which may include multi-factor authentication or risk-based authentication, to protect against unauthorized access. Multi-factor authentication shall be used for any individual accessing the Covered Entity’s internal networks from an external network.
  • 14(b): Training and Mentoring – Each Covered Entity shall provide regular cybersecurity awareness training for all personnel that is updated to reflect risks identified by the Covered Entity in its risk assessment.

A PDF containing detailed descriptions for each requirement is found here.

Print:
EmailTweetLikeLinkedIn
Photo of Carrie Turner Carrie Turner

Carrie Turner is a member of Robinson+Cole’s Insurance + Reinsurance Group, where she focuses her practice on breach of contract, first- and third-party insurance coverage disputes, coverage analysis, cyber liability, property damage claims, environmental and contamination loss, breach of fiduciary duty, bad faith…

Carrie Turner is a member of Robinson+Cole’s Insurance + Reinsurance Group, where she focuses her practice on breach of contract, first- and third-party insurance coverage disputes, coverage analysis, cyber liability, property damage claims, environmental and contamination loss, breach of fiduciary duty, bad faith, and other extracontractual claims litigation.

Prior to joining Robinson+Cole, Ms. Turner clerked for the Honorable Boyce F. Martin, Jr. on the United States Court of Appeals for the Sixth Circuit. Ms. Turner has experience litigating and advising insurers and reinsurers on a broad range of coverage issues, including litigation arising from 9/11. She has litigated from inception to settlement numerous Superstorm Sandy claims regarding flood exclusion issues. Her additional litigation experience includes general commercial, corporate and partnership disputes, attorney malpractice, and a broad range of contract disputes at both the trial and appellate levels. She has authored appellate briefs in various state and federal courts.

Read Carrie’s rc.com bio.

Photo of Benjamin Jensen Benjamin Jensen

Benjamin Jensen is partner in the firm’s Business Litigation Group, where he is a member of the Intellectual Property Litigation and Data Privacy and Security Practice Teams. His practice involves representing clients in complex business litigation matters in state and federal courts, with…

Benjamin Jensen is partner in the firm’s Business Litigation Group, where he is a member of the Intellectual Property Litigation and Data Privacy and Security Practice Teams. His practice involves representing clients in complex business litigation matters in state and federal courts, with a focus on matters involving intellectual property, data security, and contract disputes. Benjamin’s practice also includes representing health care providers and corporate clients in regulatory matters before the Connecticut departments of Health, Social Services, and Banking. Read his rc.com bio here.

Photo of Linn Foster Freedman Linn Foster Freedman

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She is a member of the Business Litigation Group and the Financial Services Cyber-Compliance Team, and chair’s the firm’s Data Privacy and Security Team. Linn focuses her practice on…

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She is a member of the Business Litigation Group and the Financial Services Cyber-Compliance Team, and chair’s the firm’s Data Privacy and Security Team. Linn focuses her practice on compliance with all state and federal privacy and security laws and regulations. She counsels a range of public and private clients from industries such as construction, education, health care, insurance, manufacturing, real estate, utilities and critical infrastructure, marine and charitable organizations, on state and federal data privacy and security investigations, as well as emergency data breach response and mitigation. Linn is an Adjunct Professor of the Practice of Cybersecurity at Brown University and an Adjunct Professor of Law at Roger Williams University School of Law.  Prior to joining the firm, Linn served as assistant attorney general and deputy chief of the Civil Division of the Attorney General’s Office for the State of Rhode Island. She earned her J.D. from Loyola University School of Law and her B.A., with honors, in American Studies from Newcomb College of Tulane University. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.

Photo of Norman Roos Norman Roos

Norman Roos, a member of Robinson+Cole’s Business Transactions Group, concentrates his practice on transactional, regulatory, and technology matters relating to the financial services and real estate industries. He is also a member of the firm’s Financial Services Cyber-Compliance Team and advises financial institutions…

Norman Roos, a member of Robinson+Cole’s Business Transactions Group, concentrates his practice on transactional, regulatory, and technology matters relating to the financial services and real estate industries. He is also a member of the firm’s Financial Services Cyber-Compliance Team and advises financial institutions concerning data privacy and security matters, particularly in relation to policy planning and implementation.

Mr. Roos is counsel to the Connecticut Mortgage Bankers Association, Inc., and is president-elect of the American College of Mortgage Attorneys where he has served on the Board of Regents and as Connecticut State Chair. A member of the Connecticut Bar Association, Mr. Roos is Past Chair of the Financial Institutions Law Section. He has served on a number of Connecticut Law Revision Study Committees including those on Uniform Common Interest Ownership Act, Electronic Communications, Mortgagor Liability, and Electronic Recording of Land Records. Read his full bio here.