Understanding NYDFS Cybersecurity Regulations
Look, we get it, these regulations and timelines can be confusing. So what’s most important to us is that you understand exactly whats being asked of you.
NYDFS Cybersecurity Rules
After an initial 90 day review period and subsequent revisions, the New York State Department of Financial Services (NYDFS) has formalized their best in country standards for cyber risk management as of December 28th, 2016. The new NYDFS cybersecurity regulations go into effect on March 1, 2017.
The rules impact over 2,200 financial institutions operating under a license or authorization of NY State Law. Each company is required to assess its specific risk profile and design a program that addresses its risks in a robust fashion. The regulations are designed to ensure senior management participation via an annual certification process. Given the timeline to meet the targets and the consequential surge in demand for cyber expertise, it is in the best interest of affected institutions to begin to prepare as soon as possible.
General Categories of the NYDFS Regulations
- Maintaining a cybersecurity program, including the adoption of a written cybersecurity policy
- Implementing and maintaining written policies and procedures regarding application security, data retention, and information systems and nonpublic information accessible to or held by third-party service providers
- Periodically assessing information systems
- Designating a qualified individual to function as Chief Information Security Officer (CISO) and the CISO’s responsibilities
- Employing and training of cybersecurity personnel and training for all personnel
- Technical requirements, including multi-factor authentication and encryption of nonpublic information
- Oversight requirements including penetration testing, vulnerability assessments, risk assessments, and audit trail systems
- Creating a written incident response plan and notification to the superintendent in the event of a cybersecurity event
- Annual certification (the “Certification of Compliance”) by senior executives (or possibly by entire Boards of Directors) to the NYDFS Superintendent of compliance with the cybersecurity regulation
Exemptions
- Entities that do not operate, maintain, utilize or control any Information System, and is not required to own, access, generate, receive or possess Non Public information will be exempt from some but not all regulations
- Entities with less than 10 employees
- Entities with < $5,000,000 in gross annual revenue in each of the last three fiscal years
- Entities with < $10,000,000 in year- end total assets will be exempt from some but not all regulations
NYFDS Cybersecurity Regulations Timeline
September 1, 2017
September 1, 2017
Develop Cyber Program predicated on the entity’s Risk Assessment Implement and maintain written…
Read moreFebruary 15, 2018
February 15, 2018
Initial Certification of Compliance submissions must be filed
Read moreMarch 1, 2018: (1 year after the Effective Date):
March 1, 2018
Initial CISO Report Penetration Testing and Vulnerability Assessments Risk Assessment Multi-Factor Authentication Training…
Read moreSeptember 1, 2018 (18 months after the Effective Date)
September 1, 2018
Audit Trail Application Security Limitations on Data Retention Monitoring of Authorized Users…
Read moreMarch 1, 2019
March 1, 2019
Third-Party Service Provider Security Policy
Read more
How We Can Help:
CyberRisk Solutions offers a number of options to help you reach the specific compliance targets for NYDFS and it’s new cybersecurity regulations, along with other regulatory bodies that are focused on raising the bar to address cybersecurity risk. Here’s what we can handle for you:
- Development of the full Cyber Security Program
- Be the Official CISO
- etc….
