September 4, 2018 marks the end of the transitional period for covered entities to comply with several key provisions of the NYDFS Cybersecurity Requirements that require certain systemic and sustained measures. These provisions include the encryption and audit trail requirements as well as ones relating to the implementation of monitoring policies, procedures, and controls, application security, and data retention limitations.
- Encryption (500.15): The regulation requires covered entities to encrypt Nonpublic Information held or transmitted by a covered entity both in transit over external networks and at rest. Although the provision contains allowance for circumstances in which encryption in infeasible, both the infeasibility determination and the use and effectiveness of compensating controls requires approval and annual review by the covered entity’s CISO.
- Audit Trail (500.06): A key part of the regulation’s approach to recovery and resiliency, this provision requires a covered entity to securely maintain systems that are designed to reconstruct material financial transactions and to implement audit trails designed to detect and respond to events that have a reasonable likelihood of impacting material operations of the covered entity. In addition to requiring multiple determinations of materiality thresholds within a covered entity, this provision also contains record-keeping requirements.
- Monitoring Policies, Procedures, and Controls (500.14(a)): These measures are intended to monitor and prevent insider misuse or unauthorized access by users of a covered entity’s Nonpublic Information. As of September 4, a covered entity is expected to have implemented risk-based policies, procedures, and controls that are designed to monitor and detect unauthorized activity by otherwise authorized users.
- Application Security (500.08): This provision requires a covered entity to implement and maintain written procedures, guidelines, and standards that govern the development and deployment of internally developed applications as well as externally developed applications. The regulation requires the CISO to periodically review and assess these procedures, guidelines, and standards as a part of its cybersecurity program. This provision is particularly relevant for a covered entity that may be acquiring or merging with another company, because NYDFS has taken the position in recent guidance that the CISO review and assessment under 500.08(b) requires a factual analysis of how these regulatory requirements apply to the acquisition, and that cybersecurity considerations should be an integral part of the due diligence process.
- Data Retention Limitation (500.13): This provision requires a covered entity to maintain policies and procedures for the secure disposal of certain kinds of personally identifiable information and personal health-related information to the extent this information is no longer needed for legitimate business purposes or operations. The regulation carves out an exception for additional retention due to legal or regulatory obligations, as well as for instances in which disposal is “not reasonably feasible” in certain circumstances.
Covered entities are expected to certify compliance with these provisions in their February 15, 2019 certifications. Notably, to the extent Covered Entities are also licensed pursuant to South Carolina insurance laws, they may also be subject to South Carolina’s new and prescriptive data security law. South Carolina’s law takes effect on January 1, 2019, with additional transitional compliance deadlines of July 1, 2019 and July 1, 2020.