New York State Department of Financial Services (NYS DFS) cybersecurity compliance law has been in effect since March 1, 2017. According to this new law, financial organizations are required to implement specific cybersecurity assurances to their systems. Financial institutions subject to the regulation are expected to be compliant with the first set of requirements by August 28, 2017.

In February 2017 the New York State Department of Financial Services (NYS DFS) issued a new cybersecurity regulation for banks, insurance companies and other financial institutions subject to NYS DFS jurisdiction. The NYS DFS developed this regulation over the past few years by conducting three industry surveys, holding multiple meetings with financial service firms and soliciting feedback from other US regulators.

organizations that are required by law to comply*

According to NYS DFS the regulation covers all entities operating under or required to operate under DFS licensure, registration, or charter, or which are otherwise DFS-regulated, as well as, by extension, unregulated third party service providers to regulated entities.

State-chartered banks

Licensed lenders

Private bankers

Foreign banks licensed to operate in New York

Service contract providers

Trust companies

Mortgage companies

Any insurance company doing business in New York

Financial services firms with fewer than 10 employees, less than $5 million in gross annual revenue for three years, or less than $10 million in year-end total assets are exempt.*

New York State is the first to act and its new regulation establishes requirements that go beyond federal requirements in many important areas. According to The National Law Review, “The new regulation will be felt far beyond the state of New York and will likely become the baseline standard for the financial services industry.”

*Exemptions: (1) fewer than 10 employees, including any independent contractors, of the Covered Entity or its Affiliates located in New York or responsible for business of the Covered Entity, or (2) less than $5,000,000 in gross annual revenue in each of the last three fiscal years from New York business operations of the Covered Entity and its Affiliates, or (3) less than $10,000,000 in year-end total assets, calculated in accordance with generally accepted accounting principles, including assets of all Affiliates, shall be exempt from the requirements of sections 500.04, 500.05, 500.06, 500.08, 500.10, 500.12, 500.14, 500.15, and 500.16 of this Part.

Cybersecurity requirements by law to comply*

•  Implement a cybersecurity program
– Identify and assess internal/external cybersecurity risks
– Use defensive infrastructure 
– Implementation of policies and procedures
– Detect cybersecurity events
– Respond to identified or detected cybersecurity events
– Recover from cybersecurity events 
– Restore normal operations and services
– Fulfill applicable regulatory reporting obligations
•  Implement and maintain a written policy or policies
•  Continuous monitoring or periodic penetration testing and 
vulnerability assessments (non-continuous monitoring of Information Systems, such as through periodic manual review of logs & firewall configurations, would not be considered to constitute “effective continuous monitoring”)
 

 

• Appoint a CISO who must update your board (in-house or third party)
• Maintain audit trails for five years
• Periodic risk assessment

• Ensure the security of third party service providers
• Use multi-factor authentication or alternative access controls

• Training and monitoring the activity of privileged users
• Encryption of nonpublic information
• Establish an incident response plan
• Notify regulators of breaches within 72 hours of incident
• Implement encryption or other compensating controls
• Protect all nonpublic information
• Destroy nonpublic information periodically and securely
• Certify regulatory compliance annually + more

*For full regulations list and deadlines: New York State Department of Financial Services 23 NYCRR 500 click here.

NYS DFS REQUIREMENTS AND COMPLIANCE Deadlines*

Cybersecurity compliance law, by the New York State Department of Financial Services (NYS DFS) has been in effect since March 1, 2017. Financial institutions subject to the regulation are expected to be compliant with the first set of requirements by August 28, 2017. Take note of these very important deadlines.

  • Adopt written cybersecurity policies (500.03)
  • Establish access privileges (500.07)
  • Utilize qualified cybersecurity personnel (500.10)
  • Establish a written incident response plan (500.16)
  • Notify NYS DFS of cybersecurity breach within 72 hours (500.17a)
  • Maintain a cybersecurity program to protect IS and nonpublic information on those systems (500.02)
  • Submit annual certification of compliance with the NYS DFS regulations (500.17b)
  • Designate a Chief Information Security Officer (CISO) who will provide annual report to Board of Directors or equivalent governing body. (500.04)
  •  Conduct periodic risk assessments (500.09)
  • Continuous monitoring or periodic penetration testing and vulnerability assessments (500.05)
  • Use multi-factor authentication for individuals accessing enterprise networks from an external network (500.12)
  • Maintain audit trails for at least five years (500.06)
  • Maintain application security policies & procedures (500.08)
  • Adopt policies and procedures for the secure disposal of personally identifiable information (500.13)
  • Monitor the activity of authorized users (500.14a)
  • Provide regular cybersecurity awareness training for all personnel (500.14b)
  • Use encryption or “effective alternative compensating controls” to protect nonpublic information in transit or at rest (500.15)
  • Implement written policies and procedures to ensure the security of Third Party Service Providers (500.11)

 

 

 

 

 

 

*For full regulations list and deadlines: New York State Department of Financial Services 23 NYCRR 500 click here.

Is your organization NYS DFS compliant?

For answers to your questions and the latest information that ensures NYS DFS regulations compliance, contact us today.

WHY CYBERSAFE?
Cybersafe’s team of cyber experts have developed and implemented hundreds of Written Information Security Programs
(WISP’s) in both the public and private sectors. One of the key components of an Information Security Program is
establishing an Information Security Policy that reflects the organization’s objectives as it pertains to security.

Prior to establishing an Information Security Policy, it’s critical we find out how management views security. While many security policies share common themes, we understand that each organization is unique and must develop its own set of policies customized to its distinct way of conducting business. It is important that an organization’s security policies always reflect actual practice to which everyone agrees and complies. Our team takes a holistic approach to implementing an Information Security Program that includes policies and procedures to protect the confidentiality, integrity and availability of an organizations’ sensitive data. The failure to protect all three of these aspects could result in legal liability, regulatory fines, loss of business and customer trust.