The New York Department of Financial Services released a set of regulations on February 16th, 2017. The Cybersecurity Regulation (23 NYCRR Part 500) places cybersecurity requirements on all covered financial institutions in the state. The rules were developed after two rounds of feedback from the industry and the public, outlining 23 sections that require covered institutions to measure their cybersecurity risks and build up plans to smartly address those risks.
The New York Department of Financial Services’ Cybersecurity Regulation applies to all entities licensed or registered by the department, including banks and other financial firms.
The New York Department of Financial Services (NYDFS) Cybersecurity Regulation has certain exemptions. If your organization has less than 10 employees, annual gross revenue of less than $5 million from New York operations in each of the past three years, and year-end total assets of less than $10 million, you are exempt from some of the requirements set forth in the Regulation.
How does The NYDFS Cybersecurity Regulation Work?
The New York Department of Financial Services Cybersecurity Regulation requires covered organizations to enact a detailed cybersecurity plan, designate a Chief Information Security Officer (CISO), pass a comprehensive cybersecurity policy, and initiate and maintain a continuing reporting system for cybersecurity events.
NYDFS Cybersecurity Regulation Requirements:
Complying with New York’s Cybersecurity Regulation requires your company to follow several key requirements aligned with the NIST Cybersecurity Framework.
- Identify both internal and external cybersecurity threats
- Employ defensive measures to protect against such threats.
- Use a cybersecurity monitoring system to detect events.
- Respond to all perceived cybersecurity events.
- Work to recover from each cybersecurity event.
- Fulfill different requirements for regulatory reporting.
The New York Department of Financial Services’ Cybersecurity Regulation includes rules that go above and beyond existing industry best practices. The most noteworthy ones are:
- Data Encryption: Organizations must enact policies to protect sensitive data, including encryption of that data.
- Annual certification: To maintain compliance with the regulations, covered entities must complete certification each year.
- Enhanced multi-factor authentication: Financial institutions must use multi-factor authentication for all inbound connections to their networks.
- Incident reporting: Covered entities must keep a record of all cybersecurity events.
The new cyber security regulations from the New York Department of Financial Services make it mandatory for entities covered by the regulations to file by August 28, 2017. Non-compliant entities will face penalties. The Compliance Experts at CompCiti can help you file on time and implement a long-term, effective cyber security policy.
Contact CompCiti today for a free needs assessment. They will explain to you what DFS compliance means, how it affects your organization, and how they can help you achieve full compliance. They can be your one-stop for all types of IT Solutions in NYC!
Disclaimer:
This content is created and provided by a third-party online content writer on behalf of CompCiti and is for promotional purposes only. CompCiti does not take any responsibility on the accuracy of this article.