On March 1, Wall Street banks and other institutions regulated by the New York Department of Financial Services (NYDFS) will have new set of cybersecurity rules to follow.

The rules, which were originally set to take effect at the beginning of the year, were pushed back after comments from banks, insurers and other financial services companies. Because of the comments, some of the rules will be phased in. Compliance will be required within 180 days for some standards. Others will have a grace period of up to two years.

The regulations require institutions regulated by the NYDFS to write and implement cybersecurity policies based on a series of risk assessments required under the new law. The policies must address 14 areas outlined in the law. The areas include:

  • Information security
  • Data governance and classification
  • Asset inventory and device management
  • Access controls and identity management
  • Business continuity and disaster recovery planning and resources
  • Systems operations and availability concerns
  • Systems and network security
  • Systems and network monitoring
  • Systems and application development and quality assurance
  • Customer data privacy
  • Physical security and environmental controls
  • Vendor and third-party service provider management
  • Risk assessment
  • Incident response

Written policies must also be created to ensure the security of internal and external applications, the timely disposal of data, monitoring of information systems to identify unauthorized users, and an outline of an incident response plan. A company’s vendors are also on the hook: Security by third-party providers must also be ensured by the regulated institution.

Cybersecurity policies and procedures are due by Aug. 28, 2017. A policy for periodic assessments must be in place by March 1, 2018. Six months later, on Sept. 1, 2018, application security and data disposal policies must be created. And six months after that, on March 1, 2019, a plan to ensure third-party service providers are secure must have been implemented.

The new rules are aimed, according to the state, at protecting the “confidentiality, integrity, and availability” of information held by companies. A cybersecurity program must address internal and external risks, policies and infrastructure to protect information systems, and how the company will detect a breach, respond to it and mitigate it. The law also requires a plan for recovery and restoration of information after a breach and compliance with reporting obligations.

If a company has been operating without a single, qualified person who is responsible for cybersecurity issues, it will be required to hire that individual by Aug. 28. The position can be on staff or filled through a third-party service provider. The chief information security officer role must be directly responsible for compliance with the law and is required to report to the board of directors on cybersecurity risks on an annual basis. The chief information security officer will also be required to periodically conduct cybersecurity awareness training for employees. The first employee training must have occurred by March 1, 2018.

Under the new law, a company must notify the NYDFS within 72 hours of a suspected breach. And mandatory security measures must be in place by March 1, 2018, to protect information. This includes using multifactor authentication or its equivalent for individuals accessing a company’s network from an external network. Periodic risk assessments and vulnerability testing (along with an audit trail for those activities) must also be in place by 2018.

The comment period for the proposed rules closed in January – though it’s unclear if the agency may alter the rules again based on feedback received. The full text of the proposed rules can be found here.