Posted on September 14, 2018


In early 2017, the New York State Department of Financial Services released its final rule on cybersecurity, requiring all entities licensed under the Banking Law, Insurance Law and the Financial Services Law to develop information security policies and procedures. These “Covered Entities” were granted an eighteen-month transition period to come into compliance with certain sections of the rule. This transition period ended on September 4, 2018. As a result, Covered Entities must now meet the following compliance requirements:

  • Audit Trails. Covered Entities must be able to reconstruct material financial transactions and also provide for audit trails to detect and respond to cybersecurity events that have a reasonable likelihood of materially harming any material part of the normal operations of the business.
  • Application Security. Covered Entities must maintain written procedures for securely using internally developed applications, and testing the security of externally developed applications, which are utilized in the business’s technology environment. Such procedures must also be periodically reviewed and updated.
  • Limitations on Data Retention. Covered Entities must enact data disposal procedures relating to confidential, non-public information not necessary to the business (e.g., social security numbers, credit card numbers, confidential health care information, etc.).
  • Training and Monitoring. Covered Entities must implement risk-based policies and procedures to monitor the activity of authorized users and detect unauthorized access to confidential, nonpublic information.
  • Encryption of Nonpublic Information. Covered Entities must implement encryption controls, or other alternative compensating controls, to protect confidential, nonpublic information in transit and at rest.

This article has been prepared for general information purposes only and is not intended as legal advice, nor does it create an attorney-client relationship. These materials may be considered Attorney Advertising in some states. If you should have questions regarding how cybersecurity regulations may impact your firm, please contact Steven Suozzi at 585-445-2753, or another member of the Firm’s Business Counseling practice group.

Steven A. Suozzi