How to Prepare for New York State Department of Financial Services Cybersecurity Regulation (NYDFS)
Financial services organizations licensed by or operating in New York State must adhere to a new cybersecurity regulatory regime which went into effect on March 1st, 2017. There are a series of transitional or grace periods following this date over 2 years leading up to the final key date of March 1, 2019.
In September 2016, New York state governor, Andrew Cuomo, announced this “first-in-the-nation” regulation proposed to protect New York State from the ever-growing threat of cyber-attacks. The governor considers the state the “financial capital of the world” and is taking decisive action to protect consumers and our financial system. Compliance experts believe that other states may follow suit with similar regulations in the future.
How Will NYDFS Impact My Business?
This new regulation impacts financial services companies doing business in New York even if headquartered in Chicago or the Midwest. For example, DFS notes that bank branches located in New York are required to comply with this New York state law, and DFS maintains the right to examine branches located in New York. There are some exemptions for organizations with less than 10 employees, less than $5M gross revenue, or less than $10M in assets.
The enforced regulation includes a comprehensive list of requirements for protecting information systems from cybersecurity threats and unauthorized access of “non-public information.” Unlike most regulations which tend to be vague and require heavy interpretation, this has very specific requirements. However, it does not go as far as to provide implementation guidance.
7 Starting Points to Consider When Planning for NYDFS
The regulation also reads as a list of great best practices for any organization in any country, state or industry. A partial list is explained below.
- Protect non-public information. Data classification may be needed to ensure appropriate protection levels.
- Maintain a written cybersecurity policy along with heightened board-level or senior officer visibility.
- The chairperson of the board or a senior officer must submit an annual certification to the superintendent of the NY DFS to show the entity is complying with the regulation’s requirements.
- Policies and procedures in place designed to ensure the security of Third Party Service Providers.
- Covered Entities must notify the Department of Financial Services within 72 hours of making a determination that certain cybersecurity events have occurred. This must be included in an incident response plan.
- Regular cybersecurity awareness training to reflect modern risks
- Multifactor Authentication (MFA)
Below are the key dates under New York’s Cybersecurity Regulation
- March 1, 2017 – Regulation becomes effective.
- August 28, 2017 – 180 day transitional period ends. Covered Entities are required to be in compliance with the requirements unless otherwise specified.
- September 27, 2017 – Initial 30 day period for filing Notices of Exemption ends. Covered Entities that have determined that they qualify for a limited exemption are required to file a Notice of Exemption on or prior to this date (fewer than 10 employees, etc.).
- February 15, 2018 – Covered Entities are required to submit the first certification.
- March 1, 2018 – One year transitional period ends. Covered Entities are required to be in compliance with the requirements of another phase of requirements (annual reports, penetration testing and vulnerability assessments, MFA, etc.).
- September 3, 2018 – Eighteen month transitional period ends. Covered Entities are required to be in compliance with the requirements of another phase of requirements (audit trail, application security, data retention, etc.).
- March 1, 2019 – Two year transitional period ends. Covered Entities are required to be in compliance with all the requirements.
Complying with this regulation does not guarantee an organization will be secure. There are still remaining risks which need to be tracked to minimize the risk of a data breach or business downtime.
To comply with this regulation, consider an approach to truly secure your organization above and beyond meeting compliance. SWC’s security practice has been helping organizations improve their security posture and meet many types of compliance regulations.
In addition to compliance, having a risk mitigation plan in place when the inevitable attack occurs is critical. Understanding the risk your users present to your security is a key step in determining the gaps to protect your organization. Download the whitepaper Phishing for an Unwitting Accomplice to learn more about the weakest link in your cyber security – your user.