On August 8, 2018, the Superintendent for the New York State Department of Financial Services (NYDFS), Maria T. Vullo, reminded regulated entities that the third compliance effective date for New York's new cybersecurity regulation is September 4, 2018; this date marks the end of the 18-month transitional period within which covered entities will be expected to be in compliance with the five new requirements of Sections 500.06, 500.08, 500.13, 500.14(a), and 500.15 of 23 NYCRR Part 500.

Section 500.06 requires covered organizations to maintain sufficient audit trail information for either three or five years, depending on if said trails are for material financial transactions or the detection of cybersecurity events, respectively. The systems must be designed to reconstruct the entity's material financial transactions sufficient to support normal operations and obligations, and the audit trail must be designed to detect and respond to potentially harmful cybersecurity events.

Section 500.08 requires organizations to have a cybersecurity program with written procedures, guidelines, and standards in place. Such programs must be designed to ensure the use of secure development practices for in-house developed applications utilized by the organizations. There must also be procedures for evaluating the security of externally developed applications used by the organization within their technology environment and they must also be periodically reviewed by the Chief Information Security Officer.

Section 500.13 requires organizations to include policies and procedures in their cybersecurity program that deal with the secure, periodic disposal of nonpublic information (defined within the regulation) that is not necessary for business operations or another legitimate purpose, except as required by law or where disposal is not reasonably feasible.

Section 500.14(a) requires organizations, as part of their cybersecurity program, to implement risk-based policies, procedures, and controls that are designed to monitor authorized user activity and detect the inappropriate use of nonpublic information.

Section 500.15 requires organizations to implement controls, including encryption, of nonpublic information. The controls should cover both the organization's internal environment as well as external networks.

The next compliance date under this regulation is March 1, 2019, at which time covered entities must be in compliance with Section 500.11 of 23 NYCRR Part 500.

For more information on the NYDFS's cybersecurity regulations, see Article, NY Department of Financial Services Cybersecurity Regulations for Banks.