In March, the New York Department of Financial Services (NYDFS) issued Cybersecurity Regulations (23 NYCRR 500) that further expounded requirements that were not previously included or specifically defined in the SEC OCIE release. The Cybersecurity Regulations took effect on March 1, 2017 and Covered Entities have a 180-day transitional period to comply with requirements.
In about 3 weeks, that transition period will end on August 28, 2017.
Is your company ready?
If your company has been SEC OCIE compliant, then here’s what you need to know, and add!, to comply with requirements for the August 28, 2017 deadline:
- File Annual Certification Confirming Compliance (Section 500.00)
- Develop, Implement, and Maintain Written Policies and Procedures (Section 500.03)
o Information Security
o Data Governance and Classification
o Asset Inventory and Device Management
o Access Controls and Identity Management
o Business Continuity and Disaster Recovery Planning and Resources
o Systems Operations and Availability Concerns
o Systems and Network Security
o Systems and Network Monitoring
o Systems and Application Development and Quality Assurance
o Physical Security and Environmental Controls
o Customer Data Privacy
o Vendor and Third Party Service Provider Management
o Risk Assessment
o Incident Response
- Designate a Chief Information Security Officer (CISO) (Section 500.4)
o Report “in writing” at least annually to Board of Directors/governing body/Senior Officer for cybersecurity program
- Conduct Annual Penetration Testing & Bi-Annual Vulnerabilities Assessments (Section 500.05)
- Maintain Records/Audit Trail (Section 500.06)
- Provide Cybersecurity Personnel with Updates & Training to Stay Maintain Current Knowledge of Changing Cybersecurity Threats and Countermeasures (Section 500.10)
- Develop Multi-Factor Authentication (Section 500.12)
- Develop Policies and Procedures for Periodic Secure Disposal of Nonpublic Information (Section 500.13)
- Implement Controls and Encryption of Nonpublic Information (Section 500.15)
- Provide Notices to Superintendent Within 72 Hours of Cybersecurity Events & Annual Report Certifying Compliance by February 15 (Section 500.17)
What this means is that risk management and cybersecurity are more important now than ever. As previously mentioned in Make Time for Risk Management in June, the Ipsos Mori Cyber Security Breaches Survey published in April 2017 reported only 33% of senior managers have a formal policy regarding cybersecurity and only 11% have a cybersecurity incident management plan established. That leaves a lot of firms scrambling to ensure they are compliant by the August 28 deadline.
Firms can fulfill their Cybersecurity compliance requirements in-house or outsource it to trusted vendors, or managed service providers. If in-house, firms will need to assess their current cybersecurity protocols and ensure they have written policies and procedures in place for cybersecurity as well as the periodic disposal of nonpublic information with multi-factor authentication, controls and encryption. They will also need to designate a Chief Information Security Officer (CISO) who will have to report “in writing” to Board of Directors or the governing body of your cybersecurity program. Records and audit trails must be maintained and annual penetration testing and bi-annual vulnerabilities assessments must be conducted, with protocols in place for notifying Superintendent within 72 hours of cybersecurity events. Firms will also need to have continual training and updates for their cybersecurity personnel and file annual reports confirming compliance with all parts of NYDFS’s Cybersecurity Regulations by February 15.
If firms outsource to managed service providers, they are still required to report on the providers’ cybersecurity protocols. That is why the selection of the managed service providers is also very important. RFA has been a trusted global technology partner for almost 30 years with nearly 550 financial services clients managing over $900 Billion in assets. Dedicated to meeting the unique needs of its client base, RFA offers scalable, reliable and secure technology infrastructure while continual investment in Research & Development helps RFA navigate today’s ever-evolving technology landscape. RFA offers a full suite of technology services including cybersecurity and disaster recovery technology. Contact RFA today to see how we can ensure your company’s compliance with NYDFS’ Cybersecurity Regulations.
Key Dates from NYDFS as well as the updated FAQs section regarding the Cybersecurity Regulations.