Posted in IT Law, Miscellaneous

NYDFS Proposes Regulations Imposing Detailed Cybersecurity Rules

Again on the proposed law to tackle cyber-security with the following news:

  • A Chief Information Security Officer (“CISO”) to be appointed and to report (at least) twice a year to the BoD and issue such reports to the NYDFS;
  • Board review and senior officer to approve the written cybersecurity/information security policy (incident response plan included) at least once per year;
  • Penetration tests (at least once per year),vulnerability assessments (at least quarterly) and written risk assessments (at least annually) on the entity’s information systems;
  • Encryption of certain non-public data;
  • Multi-factor authentication for external access to databases and privileged access to nonpublic information;
  • Limitations on the retention period of “nonpublic information”;
  • Regular-employee training and monitoring on authorized users with access to non-public information;
  • Incident-response procedures and internal reporting on “Cybersecurity Events”+ 72-hour notification to the New York Superintendent of Financial Services (the “Superintendent”) of Cybersecurity Events in case of reasonable likelihood of materially affecting the normal operation of the entity or that affect nonpublic information; and
  • Annual certification to the Superintendent by the entity’s BoD  to certify the compliance.




Contract Manager with a remarkable lust for legal and business knowledge

Share your insights with a comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s