With March comes Spring – and the full force and effect of the Cybersecurity Regulation of the New York Department of Financial Services (“NYDFS”). This includes requirements relating to Third Party Service Providers (e.g., vendors, suppliers, agents – the term Third Party Service Providers is defined in the Regulations). Canadian companies and financial service providers may be caught by these and other provisions of the Regulations and should review the applicability of these recently-in-force provisions.
The Regulation was first promulgated on March 1, 2017 and required banks, insurance companies, and other financial institutions and individuals who are, or should be, licensed with NYDFS (called Covered Entities in the Regulation) to comply with what some characterized as fairly onerous cybersecurity and data security requirements. The final transitional period for the Regulation ended on March 1, 2019 – meaning all affected entities will need to be in compliance.
The Regulation had been criticized as being overly-prescriptive and unduly burdensome, resulting in the NYDFS giving entities covered by the Regulation a two-year transitional period to address the requirements of the Third Party Service Provider provision.
With the Regulation now fully in force, Covered Entities must have written policies and procedures to address the risks associated with Third Party Service Providers’ access to Nonpublic Information or Information Systems. Among the items required are the establishment of minimum cybersecurity practices for Third Party Service Providers and the development of due diligence processes to assess these practices.