NYDFS Cybersecurity Rules

After an initial 90 day review period and subsequent revisions, the New York State Department of Financial Services (NYDFS) has formalized their best in country standards for cyber risk management as of December 28th, 2016. The new NYDFS cybersecurity regulations go into effect on March 1, 2017.

The rules impact over 2,200 financial institutions operating under a license or authorization of NY State Law.  Each company is required to assess its specific risk profile and design a program that addresses its risks in a robust fashion. The regulations are designed to ensure senior management participation via an annual certification process.  Given the timeline to meet the targets and the consequential surge in demand for cyber expertise, it is in the best interest of affected institutions to begin to prepare as soon as possible.

General Categories of the NYDFS Regulations

• Maintaining a cybersecurity program, including the adoption of a written cybersecurity policy
• Implementing and maintaining written policies and procedures regarding application security, data retention, and information systems and nonpublic information accessible to or held by third-party service providers
• Periodically assessing information systems
• Designating a qualified individual to function as Chief Information Security Officer (CISO) and the CISO’s responsibilities
• Employing and training of cybersecurity personnel and training for all personnel
• Technical requirements, including multi-factor authentication and encryption of nonpublic information
• Oversight requirements including penetration testing, vulnerability assessments, risk assessments, and audit trail systems
• Creating a written incident response plan and notification to the superintendent in the event of a cybersecurity event
• Annual certification (the “Certification of Compliance”) by senior executives (or possibly by entire Boards of Directors) to the NYDFS Superintendent of compliance with the cybersecurity regulation

Exemptions

• Entities that do not operate, maintain, utilize or control any Information System, and is not required to own, access, generate, receive or possess Non Public information will be exempt from some but not all regulations
• Entities with less than 10 employees
• Entities with < $5,000,000 in gross annual revenue in each of the last three fiscal years
• Entities with < $10,000,000 in year- end total assets will be exempt from some but not all regulations