Insurance & Finance Must Comply with NY Cybersecurity Regulation
As of August 28, 2017, "Covered Entities" such as banks, insurance companies, and other financial services institutions must comply with the New York State Department of Financial Services (DFS) recently adopted cybersecurity regulation. All regulated entities must have:
• a cybersecurity program designed to protect consumers’ private data;
• a written policy or policies that are approved by the board or a senior officer;
• a Chief Information Security Officer (CISO) to help protect data and systems; and,
• controls and plans to help ensure the safety and soundness of New York’s financial services industry.
Entities must also begin reporting cybersecurity events to the DFS. A cybersecurity event means:
“any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an Information System or information stored on such Information System.”
Information System is defined as a discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of electronic information, as well as any specialized system such as industrial/process controls systems, telephone switching and private branch exchange systems, and environmental control systems.
A cybersecurity event is reportable if it impacts the Covered Entity of which notice is required to be provided to any government body, self-regulatory agency or any other supervisory body; or (2) there is a reasonable likelihood of materially harming any material part of the normal operation(s) of the Covered Entity.