Knowledge

7/7/2017

DFS Compliance – Mandatory Cybersecurity Requirements

Please download the full PDF version here.

 

Executive Summary

On March 1, 2017, the New York State Department of Financial Services’ (DFS) mandatory cybersecurity requirements for financial services entities became effective, with implementation to occur within 180 days (August 28, 2017). Thus, requiring banks, insurers, and other financial institutions to establish and maintain a “risk-based, holistic, and robust security program” that is ultimately designed to protect consumers’ private data.

Why Use Digital Edge for your DFS Cyber Security Needs?

Digital Edge is an expert in ISO standards, is certified by International Standard Organization on Information Security and Quality (ISO 27001). There is a clear crosswalk between DFS law and ISO standards. Digital Edge will help to implement policies, standards and practices to cover all DFS requirements based on International Standards Organization framework.

About Us

Digital Edge provides unparalleled Managed Cloud Solutions, as well as, superior Information Technology Support Services. Skilled and accredited, with a proven track record for almost 20 years, we operate exclusively within prime data center facilities providing Enterprise IT Services expertise in:

  • Managed Cloud Services
  • Private and Hybrid Cloud
  • Infrastructure as a Service
  • IT Support and Outsourcing
  • 24/7 NOC and SOC Operation
  • Business Continuity and Disaster Recovery

Digital Edge’s organization is nicely balanced between our experience and ability to support a number of Enterprise Class IT organizations with complex needs and large processing demands, while staying quick and flexible.

Internally, the Digital Edge team strives to deliver any solution with Stability, Security, Efficiency and Compliance. This is the heart beat of Digital Edge. We achieve this drive through years of experience in engineering solutions, high level of IT management automation and constant innovation.

 

Getting Ready For New York DFS Cybersecurity Regulation

On March 1, 2017, the New York State Department of Financial Services’ (DFS) mandatory cybersecurity requirements for financial services entities became effective, with implementation to occur within 180 days (August 28, 2017). Thus, requiring banks, insurers, and other financial institutions to establish and maintain a “risk-based, holistic, and robust security program” that is ultimately designed to protect consumers’ private data.

This act is the first-in-the-nation cyber security regulation for financial institutions, and the requirements from DFS go beyond what we’ve historically seen from regulators. Banks, insurance companies, and companies that do business in New York must now assess their cyber risks, implement a comprehensive, written cybersecurity program, as well as manage the cyber risks of their third-party vendors. This groundbreaking regulation now holds company board members personally liable for annual compliance certification.

At a high level, the regulation requires that all covered entities:

  • Conduct a documented risk assessment
  • Establish a risk-based cybersecurity program
  • Adopt a written cybersecurity policy
  • Designate a qualified CISO
  • Implement written third-party cyber risk policies
  • Establish a written incident response plan
  • Notify the superintendent of DFS of any cybersecurity events
  • Submit an annual certification of compliance

Accordingly, this regulation is designed to promote the protection of customer information as well as the information technology systems of regulated entities. This regulation requires each company to assess its specific risk profile and design a program that addresses its risks in a robust fashion. Senior management must take this issue seriously and be responsible for the organization’s cybersecurity program and file an annual certification confirming compliance with these regulations. A regulated entity’s cybersecurity program must ensure the safety and soundness of the institution and protect its customers.
(For more information regarding the DFS Cybersecurity Regulation 23 NYCRR Part 500, please view the Appendix.)

 

Why Now?

DFS has been closely monitoring the ever-growing threat posed to information and financial systems by nation-states, terrorist organizations and independent criminal actors. Recently, cybercriminals have sought to exploit technological vulnerabilities to gain access to sensitive electronic data. Cybercriminals can cause significant financial losses for DFS regulated entities as well as for New York consumers whose private information may be revealed and/or stolen for illicit purposes. The financial services industry is a significant target of cybersecurity threats. DFS appreciates that many firms have proactively increased their cybersecurity programs with great success.

Given the seriousness of the issue and the risk to all regulated entities, certain regulatory minimum standards are warranted, while not being overly prescriptive so that cybersecurity programs can match the relevant risks and keep pace with technological advances.

It is critical for all regulated institutions that have not yet done so to move swiftly and urgently to adopt a cybersecurity program and for all regulated entities to be subject to minimum standards with respect to their programs. The number of cyber events has been steadily increasing and estimates of potential risk to our financial services industry are stark. Adoption of the program outlined in these regulations is a priority for New York State.

 

Key Dates: DFS's Cybersecurity Regulation (23 NYCRR Part 500)

March 1, 2017 - 23 NYCRR Part 500 becomes effective.

August 28, 2017 - 180-day transitional period ends. Covered Entities are required to be in compliance with requirements of 23 NYCRR Part 500 unless otherwise specified.

September 27, 2017 – Initial 30-day period for filing Notices of Exemption under 23 NYCRR 500.19(e) ends. Covered Entities that have determined that they qualify for a limited exemption under 23 NYCRR 500.19(a)-(d) as of August 28, 2017 are required to file a Notice of Exemption on or prior to this date.

February 15, 2018 - Covered Entities are required to submit the first certification under 23 NYCRR 500.17(b) on or prior to this date.

March 1, 2018 - One year transitional period ends. Covered Entities are required to be in compliance with the requirements of sections 500.04(b), 500.05, 500.09, 500.12 and 500.14(b) of 23 NYCRR Part 500.

September 3, 2018 - Eighteen-month transitional period ends. Covered Entities are required to be in compliance with the requirements of sections 500.06, 500.08, 500.13, 500.14(a) and 500.15 of 23 NYCRR Part 500.

March 1, 2019 - Two-year transitional period ends. Covered Entities are required to be in compliance with the requirements of 23 NYCRR 500.11.

 

Is Your Business Prepared to Meet These Requirements?

It is critical for all regulated institutions that have not yet done so to move swiftly and urgently to adopt a cybersecurity program and for all regulated entities to be subject to minimum standards with respect to their programs. The number of cyber events has been steadily increasing and estimates of potential risk.

Let the Digital Edge Cyber Security Team ease the burden of implementing the robust NYDFS Cybersecurity Regulation. Contact our Sales Team at for your free assessment and align yourself with compliance today!

 

Was this article helpful?