The blog post was first published on February 24th, 2017.
Effective March 1st, 2017 entities under the jurisdiction of the New York State Department of Financial Services (“NYSDFS”) will have new Cybersecurity Requirements. The new regulations will apply to banks, insurance companies and other institutions subject to the jurisdiction of NYSDFS.
Purpose of the NYSDFS New Cybersecurity Regulations
The new regulations set out to protect against, “…the ever growing threat posed to information and financial systems…that can cause significant financial losses for DFS regulated entities as well as for New York consumers whose private information may be revealed and/or stolen for illicit purpose.” NYSDFS has created certain regulatory minimum standards, without “…being overly prescriptive so that cybersecurity programs can match the relevant risks and keep pace with technological advances.” Generally put, NYSDFS wants financial institutions under its jurisdiction “to adopt cybersecurity programs and … to be subject to minimum standards with respect to their programs.”
NYSDFS Cybersecurity Program General Requirements
Those entities covered under the Regulation are required to maintain a cybersecurity program that is designed “to protect the confidentiality, integrity, and availability of the entities Information Systems.” The design must be based on the “Covered Entity’s Risk Assessment” and must perform certain core cybersecurity functions. Such functions include: identifying risks, detecting “Cybersecurity Events”, recovering from such events and restoring normal operations and services after the occurrence of a Cybersecurity Event.
Covered Entities will also be required to have an Chief Information Security Officer, and perform functions, such as: Penetration Testings and Vulnerability Assessments, Audit Trails, Risk Assessments and Encrypting nonpublic information. Additionally, covered entities will be required to limit access privileges to Information Systems, including instituting a multi-factor authentication to prevent unauthorized access, have an incident response plan and write cybersecurity policies and procedures for Third Party Service Providers who are also covered under the new regulations.
“Cybersecurity Event” Notice to Superintendent of NYSDFS
Covered entities also must provide Notice to the NYSDFS’s Superintendent no more than 72 hours after it is determined that Cybersecurity Events specified under Section 500.17(a) have occurred. Additionally, each year, covered entities are required to submit a written statement asserting the prior year’s compliance of the new requirements by February 15th.
NYSDFS Cybersecurity Policy
Regarding Cybersecurity Policy, Covered Entities will be required to have a written implemented policy. The policy must be based upon the Covered Entity’s Risk Assessment and include the entities Cybersecurity operations under Section 500.03, including: information security, data governance and classification, systems and network security, customer data privacy, and incident response.
The new requirement does have limited exemptions for covered entities that fall under Section 500.19 regulations. For example, covered entities that have only 10 employees, are exempt from the following requirements: 1)having an Chief Information Security Officer; 2) conducting Penetration Testing and Vulnerability Assessments; 3) having audit trails; 4) including written procedures, guidelines and standards for in-house developed applications utilized by the Covered Entity; 5) having Cybersecurity Personnel and Intelligence; 6) having Multi-Factor Authentication; 7) implementing and providing training and monitoring; and 8) Encrypting nonpublic information.
Accessing the NYSDFS New Cybersecurity Regulations
The new regulations can be accessed at the following link.