The New York Department of Financial Services ("DFS") adopted final revisions to its new cybersecurity regulations, which apply to a wide range of insurance, banking and financial services companies ("Covered Entities") under its supervision (see previous coverage of the proposed revisions). The regulations will take effect on March 1, 2017 and, starting in 2018, will require a Covered Entity to prepare and submit a Certification of Compliance annually by February 15 to the DFS concerning the firm's cybersecurity compliance program.
Required elements of the program include (i) the means to prevent and detect cyber events, (ii) the development of a cybersecurity policy, (iii) the appointment of a "qualified" chief information security officer, (iv) testing programs, (v) audit trails and (vi) access controls.
New York Governor Andrew M. Cuomo praised the new regulations:
"These strong, first-in-the-nation protections will help ensure [the financial services] industry has the necessary safeguards in place in order to protect themselves and the New Yorkers they serve from the serious economic harm caused by these devastating cyber-crimes."