The New York State Department of Financial Services’ (DFS) mandatory cybersecurity requirements for financial services entities became effective on March 1st, 2017, with a two-year implementation period. Thus, requiring banks, insurers, and other financial institutions to establish and maintain a “risk-based, holistic, and robust security program” that is ultimately designed to protect consumers’ private data.
The regulation requires all DFS regulated entities, subject to certain exemptions, to adopt the core requirements of a cybersecurity program, including a cybersecurity policy, effective access privileges, cybersecurity risk assessments, and training and monitoring for all authorized users, among other requirements. The regulation also requires the establishment of governance processes to ensure senior attention to these important protections. The final effective date for the regulation will be March 1, 2019, by which time, under section 500.11, DFS regulated entities are required to have written policies and procedures that are based on a risk assessment to ensure the security of nonpublic information and information systems that are accessed or held by third party service providers.
Accordingly, by March 1, 2019, all banks, insurance companies, and other financial services institutions and licensees regulated by DFS will be required to have a robust cybersecurity program in place that is designed to protect consumers' private data; a written policy or policies that are approved by the Board of Directors or a Senior Officer; a Chief Information Security Officer to help protect data and systems; and controls and plans in place to help ensure the safety and soundness of New York's financial services industry including encryption and multifactor authentication. The regulation sets forth certain limited exemptions, many of which still require certain cybersecurity programs and practices.
Key Dates for 2019 Cybersecurity Filings
All regulated entities and licensed persons of the New York State Department of Financial Services (DFS) are required to file various notices to the Superintendent.
Digital Edge is an expert in ISO standards, is certified by International Standard Organization on Information Security and Quality (ISO 27001). There is a clear crosswalk between DFS law and ISO standards. Digital Edge will help to implement policies, standards and practices to cover all DFS requirements based on International Standards Organization framework.
Contact us today to further explore how our team can provide your business with an unparalleled cybersecurity solution, with our continued focus on Stability, Security, Efficiency and Compliance.
For more information on this regulation and to ensure that your organization is following the critical compliance requirements, please read our most recent articles:
- DFS Compliance – Mandatory Cybersecurity Requirements
- To Do: Check List to Comply with DFS Cybersecurity Law
- Discover the NEW online DFS Cybersecurity Reporting Portal
- Exempt from DFS Cybersecurity Regulations – Now What?