The deadline is looming for banks and financial institutions that do business in New York to comply with new regulation that requires them to keep an audit trail of financial transactions for at least five years. Provisions of the Cybersecurity Regulation, which was passed in March 2017, will go into effect on September 3, and require certain financial institutions to maintain records and an audit trail of material financial transactions. The systems should ensure that banks have access to key financial data should they experience a cyber-attack.
All regulated data must be encrypted and safely erased when it is no longer necessary for business operations, and banks must maintain an audit trail of security events for three years, a big increase over the current industry standard of 30 to 60 days. Financial institutions that must comply with the regulation are those that are required to operate under New York banking, insurance, and finance laws.
By September 3, 2018, Covered Entities are to have the following in place:
- Audit Trail (500.06). Covered Entities must maintain systems designed to reconstruct material financial transactions sufficient to support normal operations and obligations of the Covered Entity (and keep such records no fewer than five years). They must also include audit trails to detect and respond to cybersecurity events that have a reasonable likelihood of materially harming any material part of the normal operations of the Covered Entity (and to keep such records for no fewer than three years).
- Application Security (500.08). Maintenance of policies and procedures is required to foster secure development practices for in-house developed applications and procedures for evaluating, assessing or testing the security of externally developed applications. The DFS issued a FAQ on this particular section, noting that compliance with the Regulation should be addressed in acquisitions and mergers involving Covered Entities.
- Limitations on Data Retention (500.13). Policies and procedures are required for the secure disposal on a periodic basis of any non-public information (“NPI”) (as defined under the Regulation) that is no longer necessary for business operations or for other legitimate business purposes of the Covered Entity, except where such information is otherwise required to be retained by law or regulation, or where targeted disposal is not reasonably feasible due to the manner in which the information is maintained.
- Training and Monitoring (500.14). Further development of policies is required for the continued monitoring of authorized users and detection of unauthorized users, along with continued cybersecurity awareness training.
- Encryption of NPI (500.15). Controls, including encryption, should be employed to protect NPI held or transmitted by the Covered Entity both in transit over external networks and at rest. To the extent encryption of NPI in transit is infeasible, a Covered Entity may instead secure such NPI using effective alternative compensating controls reviewed and approved by the Chief Information Security Officer (“CISO”). If compensating controls are used, the CISO should review them annually.
Another deadline is coming next winter. On or before February 15, 2019, Covered Entities must submit a certification of compliance with respect to the requirements above, in addition to those requirements that were subject to the first certification made on or before February 15, 2018. 