NYDFS Cybersecurity Regulation’s Third-Party Requirements Are Live

What You Need To Know

The Regulation as a whole, which seeks to address the growing cyber threat to information and financial systems, became effective on March 1, 2017. A number of the Regulation’s provisions were subject to transitional periods, the last being the two-year transitional period for Section 500.11. As of March 1, 2019, Section 500.11 is effective. The Regulation applies to financial services companies—such as commercial banks, credit unions, health insurers, investment companies, mortgage brokers, and offices of foreign banks—that are required to obtain licensure or similar authorization from the New York State Department of Financial Services (covered entities). While the Regulation aims to enforce the cybersecurity practices by which many financial companies in New York already abide, for example the PCI DSS standards, the biggest adjustment is the fact that regulators at the Department of Financial Services are able to enforce compliance and penalize noncompliance.

Section 500.11 requires covered entities to:

• Implement policies and procedures to address risk assessment, minimum required cybersecurity practices, due diligence and periodic assessments; and
• Execute contracts with third-party service providers that address access controls (including multi-factor authentication), encryption, notice in the event of a cybersecurity incident, and representations and warranties addressing the third-party’s cybersecurity program.

It is important to note that there is no one-size-fits-all solution for each third-party service provider. The solution will depend on the role a service provider plays for the Covered Entity, what controls are in place, and any associated threats, among other factors.

It is unclear at this time what the penalties for noncompliance with the Regulation will be, other than fines. There has not been much enforcement to date, though the Department of Financial Services sent notifications to covered entities that had not filed their certification, as required by Section 500.21. Such notifications may be followed by harsher warnings.