The New York Department of Financial Services (NYDFS) implemented Cybersecurity Requirements for Financial Services Companies with the goal of protecting New York financial service institutions and their customers from cyber-threats. This unprecedented rule covers entities who fall under the authority of the NYDFS, including banks, insurance companies and financial service institutions with limited exemptions based on employee and asset size. Although the rules are effective on March 1st, there is a transitional period ranging from 180 days to 2 years for the regulatory requirements.
Many of the policies, procedures and programs required by the new regulations will be based on a periodic risk assessment conducted by the covered entities. The risk assessment should cover changes made to an entity’s Information Systems, nonpublic information, or business operations. The availability and effectiveness of controls to protect nonpublic information and Information Systems should be evaluated along with the ability to revise such controls in response to technological developments and evolving threats. The effective date of the risk assessment is March 1, 2018.
In addition to the risk assessment, the regulation requires the following, effective August 28, 2017:
- A cybersecurity program designed to protect the confidentiality, integrity, and availability of its Information Systems
- The development and maintenance of a written Cybersecurity Policy and Incident Response Plan
- Designation of a qualified Chief Information Security Officer who is charged with implementing, overseeing and enforcing cybersecurity program and policies
- Training programs to ensure that cybersecurity personnel remain up to date on cybersecurity threats and risks
- Limitation of user access privileges
- Notification to the NYDFS no later than 72 hours after a covered entity determines that a cybersecurity event occurred or was attempted.
Other requirements with varying effective dates include annual penetration testing and bi-annual vulnerability assessments, encryption of nonpublic information, limitations on data retention, and third party service provider security policy.
This regulation also imposes a certification requirement. By February 15th of each year, a covered entity is required to submit to the Superintendent a document certifying compliance with the cybersecurity regulation. A sample form is included with the regulation.
In response to this regulation, WolfPAC added a new state questionnaire to the Regulatory Compliance module on May 1, 2017 to specifically address this important new regulation. The New York Cybersecurity Regulation questionnaire is in addition to the risk assessments that cover lending, retail, and data security laws specific to New York state law. The data security questionnaire covers areas such as security breach and notification to the public when such a breach occurred and is to be used in addition to the cybersecurity questionnaire. Utilizing the newest questionnaire will help your organization meet its compliance obligations.
In addition to the updated Regulatory Compliance module, the WolfPAC Information Technology module can assist in performing the risk assessments that are so critical to establishing the various requirements of the regulation.
For more information on our Regulatory Compliance Risk Assessment and Information Technology modules or to schedule a demo to experience how our solution can simplify your compliance requirements, contact us and speak to one of our experts today.