—What is the DFS Cyber Security Regulation?The NY DFS Cybersecurity Regulation (23 NYCRR 500) is a new set of regulations from the NY Department of Financial Services (NYDFS) that places new cybersecurity requirements on all covered financial institutions. The rules were released on February 16th, 2017 after two rounds of feedback from industry and the public. These regulations acknowledge the ever-growing threat posed to financial systems by cyber criminals, and are designed to ensure businesses effectively protect their customers’ confidential information from cyber attacks. This includes conducting regular security risk assessments, keeping audit trails of asset use, providing defensive infrastructures, maintaining policies and procedures for cyber security, and creating an incident response plan.
—Who Needs to Comply?
The NYDFS Cybersecurity Regulation applies to all Covered entities meaning “any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the financial Services Law.”
This Includes but is not limited to:
Foreign banks licensed to operate in New York
There are limited exemptions to the NYDFS Cybersecurity Regulation. Organizations that employ less than 10 people, produced less than $5 million in gross annual revenue from New York operations in each of the past three years, or hold less than $10 million in year-end total assets are exempt from certain requirements of the Regulation.
—01 When Do I need to Comply?The effictive date for the new regulation was March 1, 2017. You have 180 days, or until Aug. 28, 2017 to become compliant. Additionally, there are phase-in transition period for the different provisions. So the erarliest that you must comply with any part of the regulation is Aug. 28, 2017. On or before sept. 27th, 2017 (has been extended to Oct. 30, 2017) -inital 20-day perior for filing Notices of Exemption. On or before Feb. 15, 2018-The first annual cerification of compliance will be due to the New York State Department of Financial Services.
—02 What Do I Need to Do?First - Send in your certifications. Send the following two certification forms to NYDFS: 1. File your LIMITED EXEMPTION FORM by Sept. 27, 2017 (has been extended to Oct. 30, 2017), via the NYDFS secure portal: http://on.ny.gov/2qTdBPR You will first be prompted to Create an Account at the bottom of the screen on the secure portal. This account and portal will be used for future regulatory filings relating to cybersecurity, including notices of cybersecurity events and certifications of compliance.
Speak to a DFS 23 NYCRR 500 expert today
—03 Send FormsAfter you’ve completed your compliance documents below, send in your CERTIFICATION OF COMPLIANCE FORM by Feb. 15, 2018, via the NYDFS secure portal: http://on.ny.gov/2qTdBPR A Covered Entity may not submit a certification under 23 NYCRR 500.17(b) unless the Covered Entity is in compliance with all applicable requirements of Part 500 at the time of certification. Form is available on Page 13. The board of directors or a senior officer(s) of the Covered Entity certifies: 1. the board of directors (or name of senior officer(s) has reviewed documents, reports, certifications and opinions of such officers, employees, representatives, outside vendors and other individuals or entities as necessary; and 2. to the best of the (board of directors) or (name of senior officer(s)) knowledge, the Cybersecurity Program of (name of Covered Entity) as of (date of the board resolution or senior officer(s) compliance finding) for the year ended (year for which board resolution or compliance finding is provided) complies with Part 23 NYCRR 500. Signed by the chairperson of the board of directors or senior officer(s)
Cyber Security Assessment
—04 Prepare your compliance documentsFill in the following paperwork and keep copies for your files (DO NOT send to NYDFS): 1. CONDUCT A RISK ASSESSMENT of your information system (computers): The Risk Assessment must be carried out in accordance with written policies and procedures and must be documented. Such policies and procedures must include: 1. criteria for the evaluation and categorization of identified cybersecurity risks or threats facing your information system; 2. criteria for the assessment of the confidentiality, integrity, security and availability of your information systems and nonpublic information, including the adequacy of existing controls in the context of identified risks; and 3. requirements describing how identified risks will be mitigated or accepted based on the Risk Assessment and how the cybersecurity program will address the risks.
View a Risk Mitigation Assessment Template Checklist
—05 Prepare A Cybersecurity ProgramYou are required to maintain a cybersecurity program in your agency designed to protect the confidentiality, integrity and availability of your information systems. Your cybersecurity program will be based on the results of your risk assessment (above) and designed to perform the following core cybersecurity functions: 1. identify and assess internal and external cybersecurity risks that may threaten the security or integrity of nonpublic information stored on your information systems (use checklist above); 2. Use defensive infrastructure and the implementation of policies and procedures to protect your information systems, and the nonpublic information stored on those information systems, from unauthorized access, use or other malicious acts (antivirus and firewall, secure computers at night, regularly change passwords, restrict access to data and systems)
—06 Prepare a Written Cybersecurity PolicyYou need to implement and maintain a written policy or policies in your agency setting forth your policies and procedures for the protection of your information systems and the Nonpublic Information stored on those information systems. You are also required to notify the superintendent of cybersecurity events as promptly as possible, but in no event later than 72 hours from a determination that a reportable See: http://www.dfs.ny.gov/about/cybersecurity_faqs.htm New York State Department of Financial Services One State St. New York, NY 10004-1511 And send them with a proof of mailing and keep copies in your files. Like the cybersecurity program, your cybersecurity policy will be based on your risk assessment and needs to address the following areas:
Get a free Third Party Security Vendor Report
—06 Final StepsYOU ALSO MUST: 1. Limit and periodically review access privileges to your information system (who can log onto your computers). 2. Provide notice to the superintendent of a cybersecurity event, if one occurs (see above). Use this NYS Security Breach Reporting Form. Eventually, you will need a THIRD-PARTY PROVIDER SECURITY POLICY, but not until March 2019. 23 NYCRR 500.11 generally requires a Covered Entity to develop and implement written policies and procedures designed to ensure the security of the Covered Entity’s Information Systems and Nonpublic Information that are accessible to, or held by, Third- Party Service Providers.
Meet your Security and Regulatory Complance Needs