The New York Department of Financial Services (DFS) adopted rules requiring financial services institutions regulated by the DFS to maintain a cybersecurity program. Under the adopted rules, financial services institutions must establish and maintain a cybersecurity program designed to protect the confidentiality, integrity and availability of the financial services institutions’ information systems. The adopted rules also provide protections to prevent and avoid cyber breaches, including: controls relating to the governance framework for a robust cybersecurity program; risk-based minimum standards for technology systems; required minimum standards to help address cyber breaches; and accountability by requiring identification and documentation of material deficiencies, remediation plans and annual certifications of regulatory compliance. The adopted rules become effective March 1, 2017. Financial services institutions generally have 180 days (from March 1, 2017) to comply with the adopted rules. However, the adopted rules provide transitional periods of 1 year, 18 months and 2 years for certain provisions.
See New York Department of Financial Services website for the full text of the Regulations
