Last month, many New York State Financial Institutions received their scary “Failure to File Certification of Compliance” email and were perplexed by what to do next… Don’t fear, the Digital Edge VP of Compliance is here to answer your many many submitted questions regarding NYS Department of Financial Services Part 500 Mandatory Cybersecurity Requirements!
I thought I was exempt and now I’m being notified that I’m PAST DUE, what do I do next?
A common misconception regarding DFS 500 Cybersecurity is that entities that filed an exemption believed that they were exempt from this law entirely.
While entities are excused from portions of the requirement, they are not relieved from all statutes of this law, including filing for a Certificate of Compliance. For further information on what your exemption means, click here!
Where do I find a sample Certificate of Compliance? Do I have to create my own?
Cybersecurity Notices of Exemption, Certifications of Compliance, and Notices of Cybersecurity Events should be filed electronically via the DFS Web Portal , so there is no need to find a template or create your own!
Once on the site, you will first be prompted to create an account and log in to the DFS Web Portal, (remember, if you previously filed for an exemption, then you have already created an account and log in to use). Then you will be directed to the filing interface and will be able to electronically file your Certificate of Compliance.
What does Entity ID mean on the portal?
Your Entity ID is your unique license or charter number issued by the State of New York. However, if you are a/an:
- Insurance company, your Entity ID will be your NAIC number
- Mortgage Loan Originators, your Entity ID will be your NMLS number
- Insurance producers, please do not include the leading alpha characters of your License Number (e.g., BR, IA, LA, PC, TLA).
Should I file this certificate if we are not yet in compliance with all applicable requirements of Part 500?
Short Answer – No!!!
Long Answer – The Department expects full compliance with this regulation. A Covered Entity may not submit a certification under 23 NYCRR 500.17(b) unless the Covered Entity is in compliance with all applicable requirements of Part 500 at the time of certification.
If you are not yet in full compliance with this law, let our Digital Edge Cyber Security Team ease your burden of implementing all the necessary NYDFS Cybersecurity Regulations required under your exemption. For more information on how we can help, contact our Sales Team today!
This law requires me to report any cyber-security breach, is there a particular time frame?
23 NYCRR 500.17(a) requires Covered Entities to notify the superintendent of certain Cybersecurity Events as promptly as possible but in no event later than 72 hours from a determination that a reportable Cybersecurity Event has occurred.
A Cybersecurity Event is reportable if it falls into at least one of the following categories:
- the Cybersecurity Event impacts the Covered Entity and notice of it is required to be provided to any government body, self-regulatory agency or any other supervisory body; or
- the Cybersecurity Event has a reasonable likelihood of materially harming any material part of the normal operation(s) of the Covered Entity.
An attack on a Covered Entity may constitute a reportable Cybersecurity Event even if the attack is not successful.
Are all Third-Party Service Providers required to implement Multi-Factor Authentication and encryption when dealing with a Covered Entity?
This entire regulation heavily requires Covered Entities to develop and implement written policies and procedures, designed to ensure security, which includes information that is accessible to (or held by) 3rd Party Service Providers. Section 500.11, states that included in these policies and procedures that entities address certain enumerated issues, which would include a risk assessment regarding appropriate controls for 3rd Party Service Providers. These controls should be based on your organizations individual facts and circumstances presented and which does not create a one-size-fits-all solution.
Having difficulty implementing/writing these policies or procedure? Don’t know where to begin with a risk assessment? Digital Edge is an expert in ISO standards, is certified by International Standard Organization on Information Security and Quality (ISO 27001). There is a clear crosswalk between DFS law and ISO standards. Digital Edge will help to implement policies, standards and practices to cover all DFS requirements based on International Standards Organization framework, contact us today.
What constitutes "continuous monitoring" for purposes of 23 NYCRR 500.05?
Effective continuous monitoring could be attained through a variety of technical and procedural tools, controls and systems. There is no specific technology that is required to be used in order to have an effective continuous monitoring program. Effective continuous monitoring generally has the ability to continuously, on an ongoing basis, detect changes or activities within a Covered Entity's Information Systems that may create or indicate the existence of cybersecurity vulnerabilities or malicious activity. In contrast, non-continuous monitoring of Information Systems, such as through periodic manual review of logs and firewall configurations, would not be considered to constitute "effective continuous monitoring" for purposes of 23 NYCRR 500.05.
.jpg "Danielle Johnsen")