New York Department of Financial Services ("DFS") Superintendent Maria Vullo reminded all DFS-regulated entities covered by DFS's cybersecurity regulation ("covered entities") that the third transitional period of New York's "first-in-the-nation" cybersecurity regulation terminates on September 4, 2018.

The DFS cybersecurity regulation requires banks, insurance companies and other covered entities to implement a cybersecurity program to protect consumer data (see previous coverage). By September 4, 2018, covered entities must be in compliance with additional provisions of the cybersecurity regulation.

After that date, covered entities are obligated to (i) start "mandatory annual reporting" to the board by the Chief Information Security Officer, (ii) create an audit trail for the purpose of supporting normal operations in case of a breach and (iii) institute certain policies to guarantee the use of "secure development practices for IT personnel that develop applications."

DFS also reminded covered entities that they have until March 1, 2019 to assess the risk that any third-party service providers present to their systems, and to ensure that they are protected.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.