The New York Department of Financial Services (NYDFS) has just issued proposed cybersecurity rules (Proposal) applicable to NYDFS-regulated firms (Covered Entities). The Proposal would impose mandatory “minimum requirements,” including the requirement that each Covered Entity establish a cybersecurity program and a cybersecurity policy that addresses 14 areas, including customer data privacy, vendor and third-party service provider management, risk assessment, incident response, audit trail, encryption, and periodic testing requirements. The Proposal also includes requirements for an annual compliance certification made by the board of directors and notification to NYDFS of “cybersecurity events.”

Comments on the Proposal are due by November 12, 2016 and the Proposal indicates that Covered Entities should be prepared to comply by June 30, 2017—180 days after the proposed January 1, 2017 effective date.

For a fuller discussion of the Proposal, please read our LawFlash on this subject.