NYDFS Cybersecurity Regulations Nearly Fully Effective

Written by

The February 15, 2019 NYDFS compliance certification deadline represents the last annual compliance certification subject to the transition period for covered entities to come into compliance with the cybersecurity regulations.  NYDFS now expects covered entities to certify as to their compliance with all but one provision of the cybersecurity regulations which relates to the implementation of third party service provider security policies and procedures.

This 2019 compliance certification is the first certification to cover compliance with the provisions relating to audit trail, application security, limitations on data retention, and encryption of NPI, and the implementation of training and monitoring policies, procedures, and controls.  In light of the January 2018 memo issued by NYDFS regarding new examination procedures, NYDFS appears to be prepared to extend its supervisory oversight and examinations activities into these additional areas as well now that they are effective.

The next and final compliance deadline for the implementation of third party service provider security policies and procedures is March 1, 2019.  Consequently, covered entities will be expected to certify their compliance with the full panoply of the NYDFS cybersecurity regulation to which they are subject in February 2020.