Just four months after the March 1, 2017 effective date for the newly designed New York State cybersecurity regulation—courtesy of the Department of Financial Services (DFS)—this may be a good time to see how things are going. You and your team probably have all the basic information, but do you feel confident that you are in compliance?
The History of the New York State DFS Cybersecurity Regulation
Back in 2014 and 2015—on the heels of the Target, Home Depot and Anthem data breaches—the New York Department of Financial Services (NYDFS) felt compelled to tighten up its cybersecurity regulations, reports Reuters. The DFS did not want its insurers and banks to face large financial losses or the loss of valuable customers due to a loss of trust in their cybersecurity standards.
On September 13, 2016, Governor Cuomo announced the proposal of New York’s first-in-the-nation cybersecurity regulation to protect customers and financial institutions. The proposed rule focused on protecting customer data and financial institutions from terrorist organizations, cybercriminals and other criminal enterprises.
Governor Cuomo, along with other designers of this important regulation believed that it was essential that New York, the financial capital of the world, take the lead in protecting customers and the nation’s financial system from the serious economic harm that often accompanies threats that come from state-sponsored organizations, global terrorist networks and independent cybercriminals.
After releasing the initial draft of the cybersecurity regulation in September 2016, there was a public comment period that garnered a response of 150 comments. Due to the overwhelming response—particularly coming from small-to-medium sized companies worried about the one-size-fits-all approach—the NYDFS announced on December 28, 2016 that it had revised the proposed regulation to walk back some of the more stringent regulation. At that time, the NYDFS also extended the cybersecurity regulation’s effective date for an additional two months. The New York State DFS cybersecurity regulation would become effective on March 1, 2017.
Who Must Comply with the NYDFS Cybersecurity Regulation?
The NYDFS cybersecurity regulation is set to have far-reaching implications, impacting a wide array of businesses, including those directly under the authority of the NYDFS. Additional parties subject to the new regulation include third-party service providers and third-party application providers. It does not matter whether or not a company is in the state of New York, as long as it is subject to the authority of the NYDFS, under New York banking, insurance and financial services law. All of these organizations subject to the regulation and its rules are the “covered entities.”
What Does the NYDFS Cybersecurity Regulation Involve?
The new NYDFS cybersecurity regulation and its rules feature an initial compliance period of 180 days to ensure that everyone is on the same page as the regulation launches. By August 28, 2017, relevant entities are required to have met the following requirements to be in compliance:
- Perform a Risk Assessment.
- Design and Document a Strong Cybersecurity Program.
- File First Annual Certifications with the NYDFS.
- Create a Cybersecurity Policy and an Incident Response Plan.
- Continuously Focus on Training Cybersecurity Personnel.
- Designate a CISO to Your Cybersecurity Team.
- Notify the Superintendent When Cybersecurity Events Occur.
While not officially required under the rule for compliance until March 1, 2018, when the NYDFS will be prepared to provide further guidance, it is in the best interest of covered entities to perform a risk assessment. The goal of this risk assessment is to determine the covered entity’s basic risk, as well as the type of data that it holds and processes, which will help to determine the appropriate controls to put in place for compliance. With this risk assessment, you will have the foundation to develop and implement a strong cybersecurity program, cybersecurity policies to help you stay on track, audit trails, multi-factor authentication, and access privilege allowances and restrictions, based on the type of data, services and systems for which you are responsible.
Work with your cybersecurity team, which might include the retention of professional cybersecurity consultants, to develop a strong cybersecurity program, based on your risk assessment. Your cybersecurity program should focus on protecting the confidentiality, integrity and availability of your covered entity’s information systems. According to the rules of the NYDFS cybersecurity regulation, your cybersecurity program is not due for one year from the effective date. It is important to document all relevant information in the development of your cybersecurity program since it must all be made available to the superintendent upon request.
The first annual certifications are due from covered entities no later than February 15, 2018.
Also based on your initial risk assessment, your detailed cybersecurity policy must also include an incident response plan.
Whether it is your in-house cybersecurity team, or a third-party service provider, it is important that your qualified cybersecurity personnel stay up to date on the latest information on cybersecurity threats and appropriate countermeasures.
You can hire a CISO (Chief Information Security Officer) for a permanent post, or you can reach out to a third-party candidate to take responsibility for this critical task in your organization to stay in compliance.
Each time your organization experiences a cybersecurity event, you must notify the superintendent within 72 hours. The event might involve an act, successful or unsuccessful, which was attempted to gain unauthorized access to, disruption of, or misuse of an information system.
Learn More About the NYDFS Cybersecurity Regulation and How It Might Affect Your Organization
There is much more to the NYDFS cybersecurity regulation that will roll out at later dates. If you have questions about future rules or the ones listed, the I.S. Partners, LLC. team is here to help. While this unprecedented regulation is set to help the covered entities, it does present challenges involving time and human capital resources. Contact us by sending us a message or calling us at 215-675-1400 to discuss ways that we can help you stay in compliance with this new regulation and its many rules.