By Allissa Kline, originally published in Buffalo Business First on Feb 13, 2018, 6:14am EST.
Another Cybersecurity Deadline this Week for Banks, Insurance Companies and Other Financial Organizations
It’s almost deadline day for banks, insurance companies and other financial services institutions in New York that must comply with state-mandated cybersecurity rules.
By Thursday, more than 3,000 organizations regulated by the New York State Department of Financial Services must certify that they are complying with the state’s requirements to establish cybersecurity programs in order to prevent data breaches and protect consumers’ personal information. It’s the next step in New York’s groundbreaking cybersecurity legislation, which includes a series of regulations that began March 1, 2017 and roll out over a two-year period ending March 1, 2019.
Jennifer Beckage is a partner at Phillips Lytle LLP and leader of the firm’s data security and privacy team. She has spent the past several weeks making sure her clients are ready to file the certification on or before the Feb. 15 deadline.
“I think people are probably going to do a lot of filing this week,” Beckage said.
New York became the first in the nation to require state-regulated financial services institutions to create cybersecurity programs. Over the course of two years, the law requires covered entities to complete certain tasks, such as adopting written cybersecurity policies, designating a chief information security officer to enforce the policies and conducting regular training.
The list of covered entities includes banks, credit unions, check cashers, money transmitters and foreign agencies – essentially, any financial services institution that’s chartered, licensed or registered to do business in New York state.
Beckage said companies are spending a lot of time making sure they follow the regulations. Some of them are so focused on compliance issues that they don’t have enough time to actually concentrate on growing their business, according to Beckage.
Those companies that must follow the new rules don’t have long to sit still. After the passage of this week’s certification of compliance date – which will happen every February – the next big date is March 1. On that date, another layer of regulations take effect, including the requirement that chief information security officers file reports to board of directors or other governing bodies of the individual financial institutions.
More information about the new law is available here.