7/17/2017

To Do: Check List to Comply with DFS Cybersecurity Law

For many years, Digital Edge has been building and operating Information Security Programs. We are certified by ISO (International Standard Organization) for our Information Security System. Now it is a requirement for all New York State financial companies to adopt one. 

If you don’t have one, you should build one. If you don’t know how to, we can help. 

To draw the line between Information Security Program and security technologies – it is not enough to have a firewall and an antivirus today. The regulators are requiring to build and maintain risk base cyber security practice designed to protect confidentiality, integrity and availability of information.  
Technology is not enough. Organization have to show a systematic approach in their businesses to manage cyber security aspects. 

The best way of handling such a challenge is to adopt one of well-known cyber security frameworks, such as ISO 27001, NIST Core, SOC2. However even partial adoption would cover DFS requirements. 

Any financial companies should do following in the next 6 months:
 

1. Find out if you are regulated.

DFS supervise following financial institutions:

  • Banks & Trust Companies
  • Budget Planners
  • Charitable Foundations
  • Check Cashers
  • Credit Unions
  • Domestic Representative Offices
  • Foreign Agencies
  • Foreign Bank Branches
  • Foreign Representative Offices
  • Health Insurers
  • Holding Companies
  • Investment Companies (Article XII)
  • Licensed Landers
  • Life Insurance Companies
  • Money Transmitters
  • Mortgage Bankers
  • Mortgage Bankers-Exempt
  • Mortgage Brokers
  • Mortgage Brokers – Inactive
  • Mortgage Loan Originators
  • Mortgage Loan Servicers
  • New York State Regulated Corporations
  • Premium Finance Agencies
  • Private Bankers
  • Property and Casualty Insurance Companies
  • Safe Deposit Companies
  • Sales Finance Companies
  • Savings Banks and Savings & Loan Associations (S&L)
  • Service Contract Providers

 

To confirm whether or not you are regulated, please visit DFS Who We Supervise system.
If you are regulated, we suggest to talk to us.

 

2. See if you are eligible for any of 5 possible exemptions. 

There are 5 categories of exceptions:

Exemption.Category.Type.. Exemption Category Type Description
Exemption Category 1 Small Covered Entities - (i) Covered Entities with fewer than 10 employees, including any independent contractors, of the Covered Entity or its Affiliates located in New York or responsible for business of the Covered Entity (Section 500.19(a)(1)); (ii) Covered Entities with less than $5,000,000 in gross annual revenue in each of the last three fiscal years from New York business operations of the Covered Entity and its Affiliates (Section 500.19(a)(2)); and (iii) Covered Entities with less than $10,000,000 in year-end total assets, calculated in accordance with generally accepted accounting principles, including assets of all Affiliates (Section 500.19(a)(3)). 
Exemption Category 2 Employees, Agents, Representatives and Designees - Employees, agents, representatives or designees of a Covered Entity who are covered by the cybersecurity program of the Covered Entity (Section 500.19(b)).
Exemption Category 3 Covered Entities without Access to Information Systems or Nonpublic Information - Covered Entities that do not directly or indirectly operate, maintain, utilize or control any Information Systems, and that do not, and are not required to, directly or indirectly control, own, access, generate, receive or possess Nonpublic Information (Section 500.19(c)). 
Exemption Category 4 Insurance Covered Entities without Access to Nonaffiliate Nonpublic Information - Covered Entities under Article 70 of the Insurance Law that do not and are not required to directly or indirectly control, own, access, generate, receive or possess Nonpublic Information other than information relating to its corporate parent company (or Affiliates) (Section 500.19(d)). 
Exemption Category 5 Special Insurance Organizations and Certain Reinsurers - Persons subject to New York Insurance Law Section 1110; Persons subject to New York Insurance Law Section 5904; and any accredited reinsurer or certified reinsurer that has been accredited or certified pursuant to 11 NYCRR 125 (Section 500.19(f)).

If you are exempt you have to:

  1. File a Cybersecurity Notices of Exemption. We can help you with this.
  2. Implement elements of the cycler security program that you are required to implement.
  3. Depending on your exemption category you will still need to build cyber security system. 

Cybersecurity Program requirements are outlined in the following table:

Requirement No Exemption Exemption Category 1 Exemption Category 2 Exemption Category 3 Exemption Category 4 Exemption Category 5
Section 500.02 Cybersecurity Program APPLICABLE APPLICABLE EXEMPT EXEMPT EXEMPT ....EXEMPT....
Section 500.03 Cybersecurity Policy APPLICABLE APPLICABLE EXEMPT EXEMPT EXEMPT EXEMPT
Section 500.04 Chief Information Security Officer APPLICABLE EXEMPT EXEMPT EXEMPT EXEMPT EXEMPT
Section 500.05 Penetration Testing and Vulnerability Assessments APPLICABLE EXEMPT EXEMPT EXEMPT EXEMPT EXEMPT
Section 500.06 Audit Trail APPLICABLE EXEMPT EXEMPT EXEMPT EXEMPT EXEMPT
Section 500.07 Access Privileges APPLICABLE APPLICABLE EXEMPT EXEMPT EXEMPT EXEMPT
Section 500.08 Application Security APPLICABLE EXEMPT EXEMPT EXEMPT EXEMPT EXEMPT
Section 500.09 Risk Assessment APPLICABLE APPLICABLE EXEMPT APPLICABLE APPLICABLE EXEMPT
Section 500.10 Cybersecurity Personnel and Intelligence APPLICABLE EXEMPT EXEMPT EXEMPT EXEMPT EXEMPT

Section 500.11 Third Party Service Provider Security Policy

APPLICABLE APPLICABLE EXEMPT APPLICABLE APPLICABLE EXEMPT
Section 500.12 Multi-Factor Authentication APPLICABLE EXEMPT EXEMPT EXEMPT EXEMPT EXEMPT
Section 500.13 Limitations on Data Retention APPLICABLE APPLICABLE EXEMPT APPLICABLE APPLICABLE EXEMPT
Section 500.14 Training and Monitoring APPLICABLE EXEMPT EXEMPT EXEMPT EXEMPT EXEMPT
Section 500.15 Encryption of Nonpublic Information APPLICABLE EXEMPT EXEMPT EXEMPT EXEMPT EXEMPT
Section 500.16 Incident Response Plan APPLICABLE EXEMPT EXEMPT EXEMPT EXEMPT EXEMPT
Section 500.17 Notices to Superintendent APPLICABLE APPLICABLE EXEMPT APPLICABLE APPLICABLE EXEMPT
Section 500.19 Notice of Exemption within 30 Days of Determination APPLICABLE APPLICABLE APPLICABLE APPLICABLE APPLICABLE EXEMPT

 

3. By August 28, 2017, covered entities must be in compliance. 

 

4. February 15, 2018, covered entities must submit first Certification of Compliance.

 

What Digital Edge can do for you:

  1. Fully or partially build and maintain your Cybersecurity Program. 
  2. Be a part of your Cybersecurity Program saving you money. 
  3. Consult on the implementation.
  4. Show you how to get into compliance virtually free.

 

Was this article helpful?
LET'S TALK: 800-714-5143