Starting today, New York’s banking and insurance sector need to report the authorities within 72 hours on any security incident that might have a ‘rational possibility’ of causing substantial harm to ordinary operations.
As of today, bankers, insurers, and other financial service firms in the province of New York must officially report the sort of cybersecurity occurrences that until now most establishments have been equipped to sweep under the carpet.
The new rules would be applicable to enterprises covered by the Department of Financial Services (DFS), New York and new cybersecurity regulation, 23 NYCRR 500, with effect from March in an official way but strike its first adherence deadline today.
Under 23 NYCRR 500, covered organizations must report to the DFS Superintendent within 72 hours in any cybersecurity events that might have a rational probability of material harm to its normal operation.
Last month DFS launched a new online doorway for reporting events. Companies covered by the regulation must submit their annual compliance report to the Superintendent, due on February 15.
The regulation is the first of its type in the USA. It officially came in effect in March with a series of compliance deadlines directed over two years.
As of today, covered entities must have a cybersecurity program along with cybersecurity policy and a chief information security officer on a security occurrence reporting agenda, and a process to begin limiting user access privileges. Entities must need to do due diligence while selecting them.
