NYDFS Cybersecurity Requirements Phase 1
The New York Department of Financial Services (NYDFS) implemented Cybersecurity Requirements for Financial Services Companies with the goal of protecting New York financial service institutions and their customers from cyber-threats. This unprecedented rule covers entities who fall under the authority of the NYDFS, including banks, insurance companies and financial service institutions with limited exemptions based on employee and asset size. Although the rules are effective on March 1st, there is a transitional period ranging from 180 days to 2 years for the NYDFS cybersecurity regulation requirements.
Many of the policies, procedures, and programs required by the new regulations will be based on a periodic risk assessment conducted by the covered entities. The risk assessment should cover changes made to an entity’s Information Systems, nonpublic information, or business operations. The availability and effectiveness of controls to protect nonpublic information and Information Systems should be evaluated along with the ability to revise such controls in response to technological developments and evolving threats. The effective date of the risk assessment is March 1, 2018.
In addition to the risk assessment, the NYDFS cybersecurity regulation requires the following, effective August 28, 2017:
- A cybersecurity program designed to protect the confidentiality, integrity, and availability of its Information Systems
- The development and maintenance of a written Cybersecurity Policy and Incident Response Plan
- Designation of a qualified Chief Information Security Officer (CISO) who is charged with implementing, overseeing and enforcing cybersecurity program and policies
- Training programs to ensure that cybersecurity personnel remain up to date on cybersecurity threats and risks
- Limitation of user access privileges
- Notification to the NYDFS no later than 72 hours after a covered entity determines that a cybersecurity event occurred or was attempted
Other NYDFS cybersecurity requirements with varying effective dates include annual penetration testing and bi-annual vulnerability assessments, encryption of nonpublic information, limitations on data retention, and third party service provider security policy.
This regulation also imposes a certification requirement. By February 15th of each year, a covered entity is required to submit to the Superintendent a document certifying NYDFS cybersecurity compliance. A sample form is included with the regulation.
In response to this regulation, WolfPAC added a new state questionnaire to the Regulatory Compliance module on May 1, 2017 to specifically address this important new regulation. The New York Cybersecurity Regulation FAQ is in addition to the risk assessments that cover lending, retail, and data security laws specific to New York state law. The data security questionnaire covers areas such as security breach and notification to the public when such a breach occurred and is to be used in addition to the cybersecurity questionnaire. Utilizing the newest questionnaire will help your organization meet its compliance obligations.
In addition to the updated Regulatory Compliance module, the WolfPAC Information Technology module can assist in performing the risk assessments that are so critical to establishing the various requirements of the regulation.