NYDFS portal , Regulations and Compliance
WHAT Exactly is the Cybersecurity Regulation for the NYDFS? A BRAND-NEW REQUIREMENT FOR CYBERSECURITY COMPLIANCE That Will Apply to Financial Institutions
The New York Department of Financial Services (NYDFS) has issued an additional set of rules known as the NYDFS Cybersecurity Regulation (23 NYCRR 500), which imposes new standards pertaining to cybersecurity on all financial institutions that fall within its purview. Following two rounds of comments from both industry professionals and the general public, the regulations were finally made public on February 16, 2017. The compliance deadline for several of the new criteria for covered institutions has been moved forward to the 28th of August, 2017.
WHO IS RESPONSIBLE FOR COMPLIANCE WITH THE NYDFS CYBERSECURITY REGULATION?
The New York Department of Financial Services (NYDFS) Cybersecurity Regulation applies to all entities operating under or required to operate under DFS licensure, registration, or charter, or which are otherwise DFS-regulated, as well as, by extension, unregulated third party service providers to regulated entities. This regulation was created to strengthen the state's financial system's defenses against cyberattacks. The following are some examples of covered entities:
- Chartered by the state banks
- Licensed lenders
- Private bankers
- Banks from other countries that are authorized to do business in New York
- Mortgage firms
- Insurance firms
Those that supply services
The New York Department of Financial Services Cybersecurity Regulation allows for just a small number of exclusions. Certain provisions of the Regulation do not apply to businesses that meet certain criteria, such as having fewer than 10 employees, having generated less than $5 million in gross annual revenue from New York operations in each of the preceding three years, or having less than $10 million in total assets as of the end of the fiscal year.
HOW THE NYDFS CYBERSECURITY REGULATION WORKS
The NYDFS Cybersecurity Regulation is effective because it requires covered organizations to comply with stringent cybersecurity rules. These rules include the implementation of a comprehensive cybersecurity policy, the designation of a Chief Information Security Officer (CISO), the installation of a detailed cybersecurity plan, and the initiation and maintenance of an ongoing reporting system for cybersecurity events. All of these parts are constructed out of a plethora of supplementary rules and prerequisites.
ACCORDING TO THE REQUIREMENTS OF THE NYDFS CYBERSECURITY REGULATION, EACH "COVERED" INSTITUTION IS REQUIRED TO ADOPT A SOLID CYBERSECURITY PROGRAM BY AUGUST 28, 2017.
A cybersecurity program that conforms with the new New York Department of Financial Services Cybersecurity Regulation will adhere to numerous important standards that are linked with the NIST Cybersecurity Framework, including the following:
- Determine all of the internal and external risks to the network's cybersecurity.
- To defend oneself from such dangers, defensive infrastructure should be used.
- Utilize a system to identify any occurrences related to cybersecurity.
- Respond to any and all cybersecurity incidents that are discovered.
- Make efforts to recover from each incident involving cybersecurity.
- Ensure compliance with the regulatory reporting process's many different requirements.
BY THE DATE OF AUGUST 28, 2017, EACH AND EVERY INSTITUTION THAT IS COVERED IS REQUIRED TO IMPLEMENT A COMPREHENSIVE CYBERSECURITY POLICY.
A written cybersecurity policy is required to be implemented and maintained at all covered institutions in accordance with the NYDFS Cybersecurity Regulation. Concerns need to be addressed in accordance with the best practices in the industry and the standards established by ISO 27001. Most importantly, the insurance coverage has to cover:
- Protection of sensitive information
- Access controls
- Preparedness and response to emergencies
- Security for both systems and networks
- Customer data privacy
- Regular risk evaluations
INSTITUTIONS THAT ARE COVERED ARE REQUIRED TO COMPLY WITH THESE ADDITIONAL REQUIREMENTS BY THE DATE OF AUGUST 28, 2017.
Organizations that are within the purview of the New York Department of Financial Services Cybersecurity Regulation are further obliged to:
Appoint a Chief Information Security Officer (CISO) who is competent to supervise the cybersecurity program, monitor its implementation, and ensure compliance with policy. Organizations have the option of using a third party to fulfill this function.
Employ competent employees in cybersecurity who undergo ongoing training to handle the ever-evolving challenges and responses posed by cybersecurity. These might be actors from a third party.
Notify the New York Department of Financial Services about any cybersecurity incidents that have a "reasonable chance" of inflicting significant damage.
Limit access privileges. The rule requires businesses that are subject to it to monitor and restrict the access credentials that users are allowed.
INSTITUTIONS THAT ARE COVERED BY THIS ACT ARE REQUIRED TO ADDRESS NEW CYBERSECURITY CHALLENGES
Some of the criteria of the New York Department of Financial Services Cybersecurity Regulation go above and beyond what are currently considered to be the best practices in the industry. The most important ones are the following:
Encryption of data: Based on the findings of a risk assessment, organizations are obligated to put measures into place, one of which must be the encryption of sensitive data.
Annual certification: In order to demonstrate that they are in conformity with the rules, covered entities are required to undergo annual certification.
Enhanced multi-factor authentication Institutions that fall under this mandate are required to use multi-factor authentication for all incoming connections to the network of the covered organization.
Incident reporting requires all covered companies to keep detailed records of and report any and all cybersecurity incidents.
BENEFITS AND DRAWBACKS OF THE NYDFS CYBERSECURITY REGULATION
A protracted history of devastating cyber assaults and data breaches in the banking sector led to the adoption of the New York Department of Financial Services Cybersecurity Regulation on March 1, 2017. Although the New York Department of Financial Services (NYDFS) opened the path for other states to establish much-needed cybersecurity legislation, it is possible that other states' efforts will not go far enough. The following are some of the benefits and drawbacks of the new rule, presented in no particular order:
The original version of the legislation called for the encryption of all data while it was both at rest and in transit. Many institutions objected that this was an unnecessary restriction, thus the regulation was revised to remove this requirement.
According to Sam Olyaei, a senior research analyst at Gartner Research, the regulation was horribly out of date even before it was enacted, though he admits that it is much better than regulation that is in place (or not in place) in other states. Nonetheless, he believes that it could be improved upon.
According to the version of the legislation that was actually put into effect, exemptions may be granted to businesses that have less than 10 workers combined, including independent contractors.
Many of the regulatory requirements may be satisfied by relying on third party service providers, which are available to both small and medium-sized businesses.
BEST PRACTICES FOR COMPLYING WITH NYDFS CYBERSECURITY REGULATION
Compliance with the new New York Department of Financial Services Cybersecurity Regulation will be a difficulty in the short future for financial institutions. The most effective procedures include satisfying all of the criteria in a timely way, paying particular attention to the deadlines, and choosing a certified CISO to bring together an acceptable response. When getting ready to comply with the NYDFS Cybersecurity Regulation, be sure you do the following:
Determine whether or if your organization falls within the category of "covered." There are a few different exemptions available, but tax-exempt organizations are required to submit their paperwork within a month after the close of their most recent fiscal year. Check out the "Who We Supervise" page of the New York Department of Financial Services website to see whether or not your company is "covered."
Gather together the team that will be responsible for regulatory compliance at your business. By the 28th of August in 2017, all financial institutions that are not excluded from this requirement must have appointed a Chief Information Security Officer (CISO). Even though the Chief Information Security Officer (CISO) is ultimately responsible for compliance, achieving and maintaining compliance is typically a job for a team rather than an individual. This is especially true when taking into account the fact that the new regulations apply across the entire organization.
Understand your risk profile. The mandatory Risk Assessment has to be handed in by March 1, 2018, at the latest. On the other hand, companies may choose to finish a risk assessment considerably earlier, given the completion of the Risk Assessment is dependent by the fulfillment of other criteria that are due on August 28, 2017.
Always be sure you meet the deadlines. The new rule includes a number of provisions that go into effect as soon as August 28, 2017, while others are scheduled to take effect at a later date. For more explanation, please refer to this paper that contains the whole regulation.