All Companies Regulated by the New York Department of Financial Services Are Required to Comply with Regulation’s Governance Policies and Procedures, as Well as Risk Based Monitoring Systems Requirements and Encryption Programs for Nonpublic Information by September 4, 2018
New York has reminded all regulated companies that the third transitional period for the New York cyber regulation ends on September 4, 2018. Starting September 4 all companies will be required to have:
- Commenced mandatory annual reporting to the board by the Chief Information Security Officer concerning critical aspects of the cybersecurity program;
- An audit trail designed to reconstruct material financial transactions sufficient to support normal operations in the event of a breach;
- Policies and procedures in place to ensure the use of secure development practices for IT personnel that develop applications for the Covered Entity;
- Implemented encryption to protect nonpublic information held or transmitted by the company;
- Developed policies and procedures to ensure secure disposal of information that is no longer necessary for the business operations; and
- Implemented a monitoring system that includes risk based monitoring of all persons who access or use any of the company’s information systems or who access or use the company’s nonpublic information.
The New York Department also reminds regulated entities that they utilize Third-Party Service Providers, they must evaluate the risk that any Third-Party Service Providers pose to the security of those systems and data and ensure those systems and data are protected by March 1, 2019.
Westmont Associates, Inc. tracks developments affecting the insurance industry, in addition to our other services. If you have any questions, please contact us.