The New York State Department of Financial Services’ (DFS) mandatory cybersecurity requirements for financial services entities became effective on March 1st, 2017, with a two-year implementation period. The regulation requires all DFS regulated entities, subject to certain exemptions, to adopt the core requirements of a cybersecurity program. The final effective date for the regulation will be March 1, 2019, by which time, under section 500.11, DFS regulated entities are required to have written policies and procedures that are based on a risk assessment to ensure the security of nonpublic information and information systems that are accessed or held by third party service providers.
DFS has come out with the dates all regulated entities and licensed persons must files various notices to the Superintendent. The final one being next month, February 15th 2019.