The standard has fifteen requirements for covered entities (more than ten employees, more than $5M in gross annual revenue, or more than $10M in year-end assets):

• A formal cybersecurity program.
• Policies/Procedures/Standards governing the cybersecurity program.
• An individual with the CSO/CISO title, and responsibility over the cybersecurity program.
• Annual penetration testing, and bi-annual vulnerability scanning.
• System and application monitoring and auditing controls (basically, a SIEM needs to be in-place).
• A formal user access, authentication, and authorization process.
• Multi-factor authentication.
• A data retention policy and process.
• An awareness training/education program.
• Encryption of non-public information.
• An Incident Response Plan.
• An application security program.
• Risk assessments of all information systems and applications.
• A team of “qualified” people to manage the operational functions within the cybersecurity program, along with processes for security training for the team to keep them up-to-date on threats, risks, exploits, and trends within the industry.
• A program to assess the security of third-party service providers, and ensure compliance of those providers to a standard set of requirements.

It also

• Requires that New York State be notified within seventy-two hours if a “cybersecurity event” occurs.
• Covered entities must be in compliance with these standards immediately, and, by February of 2018, submit a “Certificate of Compliance” certifying that they are meeting these requirements.
• Applies to “…any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law” within the state of New York, which is a pretty wide swath of companies.