NYDFS Cybersecurity Regulation in Plain English
NYDFS Cybersecurity Regulation for Financial Services has launched cybersecurity regulations similar to GDPR in 2017. This new state regulation sets strict guidelines for breach reporting and data retention, which are unheard of at the state level.
The regulations in New York have rules for fundamental principles of data security, assessments of risks, security policy documentation, and designating a chief information security officer (CISO) in charge of the program.
Unlike GDPR, there are very specific data security controls, including vulnerability scans and annual pen-testing.
These rules and the GDPR protect sensitive nonpublic information, referring primarily to personally identifiable information or PII.
The Definition of the NYDFS Cybersecurity Regulation
After a round of public and industry reviews, NYDFS issued the regulation composed of 22 sections. The regulation requires the covered entities to evaluate the cybersecurity vulnerabilities present in the industry and develop proactive plans to address them.
NYDFS Cybersecurity Regulations enforce the use of reasonable cybersecurity procedures. Financial institutions that have already implemented existing PCI standards, such as PCI DSS, should not have trouble complying with the New York rules. The ruling body requires companies to implement at least specific controls in these areas, including compliance measures.
The NYDFS Cybersecurity Regulation (23 NYCRR 500) aims to promote the protection of customer information and the technology systems of regulated entities. This regulation demands that each company conduct a risk assessment and then implement a security control program to detect and respond to cyber-attacks.
The pros and cons of the NYDFS cybersecurity regulation
It is probably the most comprehensive (many would say “onerous”) cybersecurity regulation for the financial services industry in the country. It responds to the long history of damaging cyber-attacks and data breaches.
Image source: Unsplash
NYDFS broke ground for other states to pass cybersecurity regulations, but their efforts may not go far enough. Below are some benefits and drawbacks of the new regulation:
Many institutions argued that the proposed regulations, which demanded encrypted data at rest and in transit, were too restrictive. As a result, the regulators have scaled it back.
Sam Olyaei, a senior research analyst at Gartner Research, says even before enactment, the law was woefully outdated but admits it is much better than regulation in other states (or none at all).
Under the enacted version of the regulation, organizations with fewer than ten employees and independent contractors are exempt from the regulation.
Small and medium-sized businesses can use third-party service providers to comply with most regulations.
Who are the covered entities under the NYDFS cybersecurity regulation?
Under regulations, covered entities mean those “required to operate under a license or operating under a business registration, charter, certification, permit accreditation, or related authorization under the Banking Law, the Insurance Law, or the Financial Services Law” of New York. This would include any business that sells a financial services product to New York residents.
The organizations listed below are eligible for a limited exemption.
Even if your business qualifies for the exemption, it is still subject to several cybersecurity risks.
How the NYDFS cybersecurity regulation works
New York DFS’s new Cyber Security Regulation requires covered entities to implement strict cybersecurity policies that will require a Chief Information Security Officer (CISO) designation, establish a comprehensive cybersecurity policy, and start and continue cybersecurity programs. All of these components consist of sub-regulations and requirements.
NYDFS cybersecurity regulation requirements
A comprehensive cybersecurity program that complies with the new NYDFS Cybersecurity Regulation will adhere to several key requirements aligned with the Framework of NIST Cybersecurity:
Penalties and repercussions for NYDFS cybersecurity regulation violations
Under the current state law, no details exist for a fine. Penalties are assessed for violations. An investigation will reveal nonpublic information.
Among other frustrating factors for a covered entity is the department hasn’t clearly explained what will be a consequence of noncompliance. There is no fine imposed regarding noncompliance. However, regulations remain in force today so that a penalty will punish violations immediately.
If your company has not already taken these rules seriously, it’s time to do so because the regulators are taking them very seriously. To note:
Recommended by LinkedIn
Best practices for complying with the NYDFS Cybersecurity Regulation
The NYDFS Cyber Security Regulation will present unforeseen challenges. Best practices include:
In preparing for NYDFS Cybersecurity Regulation compliance, be sure to:
Ensure your organization follows the above procedures, conducts period risk assessments, and maintains an effective cybersecurity program that complies with NIST.
Cybersecurity FAQs
The New York City Regional Regulatory Commission has enacted a new cybersecurity regulation requiring financial services businesses to protect their organizations and customers against cyber criminals. The following are the most common issues and concerns:
Certification of compliance
Is it necessary to file a Certification of Compliance if I file a Notice of Exemption from the Cybersecurity Regulation?
Yes, even if you applied for an exemption under 23 NYCRR Part 500.19, you must file a Certification of Compliance.
There are a few exemptions in the cybersecurity regulation, but you are still subject to its requirements.
Cybersecurity event
Image source: Unsplash
The term “cybersecurity event” refers to any act or attempt, successful or not, to disrupt, misuse, or gain unauthorized access controls to an information system or its information.
Do I have to report all cybersecurity events within 24 hours to NYDFS?
Within 72 hours after learning that a reportable cybersecurity event has occurred, covered entities must notify the superintendent of certain cybersecurity events.
Documentation
How much documentation is required besides developing security policies?
In addition to reporting material cyber incidents to NYDFS, they require CISOs to report the current cybersecurity state of the organization to the board or governing body annually, including material cybersecurity risks, control effectiveness, and material cybersecurity events.
CISOs will have to document the remediation efforts they undertook for any weaknesses discovered during the assessment. Finally, the CISO must annually certify to the NYDFS that their organization is maintaining compliance.
Risk assessment
Image source: Unsplash
How frequently do I need to conduct risk assessments?
Covered entities are required to perform “periodic” assessments. However, keep in mind that CISOs will be required to certify their organization’s compliance annually. You should expect to conduct assessments at least once a year.
You may read more FAQS here.
Conclusion
The NYDFS mandates organizations assess their security risks before developing data governance policies, classification, system access controls, data protection, system monitoring, and incident response and recovery plans.
The regulation requires companies to implement, at the very least, specific controls in these areas, which are typically part of compliance standards.
It is critical to use risk assessments to benchmark and assess the posture of your cybersecurity program. After this process, the organization must provide a Certification of Compliance with the NYDFS Cybersecurity Regulation.
If you have questions about integrated risk management or how Corvid can help your institution achieve its cybersecurity goals, please do not hesitate to contact us.