The new regulation requires financial institutions to implement robust controls to detect, prevent and report cyber incidents.
As well as captive insurance companies, other exempt entities include small covered entities, designees covered by another, and those that do not possess or handle non-public information.
All exempt entities must still file a certificate of exemption with the New York State Department of Financial Services (NYDFS) within 30 days.
According to Romaine Marshall and Matt Sorensen of law firm Holland & Hart, the impact of the new regulation will be “felt far beyond the state of New York and will likely become the baseline standard for the industry”.
The new regulation requires banks, insurance companies, and other financial services institutions regulated by the NYDFS to establish and maintain cyber security programmes designed to protect consumers’ private data and ensure industry safety.
Requirements include conducting periodic risk assessments, maintaining a cyber security programme based on the risk assessment, complying with governance and staffing requirements, and providing regular cyber security awareness training.
Marshall and Sorensen suggested that although the regulation became effective on 1 March, there will be a transition period of between one and two years for most financial institutions to comply.
“Full compliance with such an expansive regulation will [still] be challenging,” they added.