Is your New York State organization prepared for the new financial compliance regulations under the NY Department of Financial Services? If you’re a financial advisor, brokerage house, or other financial or banking institution, there are some very important things regarding the NYDFS regulations you need to be prepared for. Namely, you need to have your NYS cybersecurity readiness ramped-up and meeting certain codified protocol. If you need help, Krantz Secure Technologies can help get you there.

NYDFS cybersecurity rules now in effect for financial institutions

The New York Department of Financial Services reminded financial institutions that the first compliance date of New York’s cybersecurity regulation was on Aug. 28, 2017.

Financial institutions have had since the start of 2017 to implement the cybersecurity regulations that are intended to keep financial institutions and their customers safe.

“This day marks a significant milestone in protecting the financial services industry and the consumers they serve from the threat of cyber attacks,” said Financial Services Superintendent Maria T. Vullo.

“With cyber attacks on the rise and comprehensive federal cybersecurity policy lacking for the financial services industry, New York is leading the nation with strong [NYS cyber security] regulation requiring, among other protective measures, set minimum standards of a cybersecurity program based on the risk assessment of the entity, personnel, training and controls in place in order to protect data and information systems,” continued Vullo.

Ms. Vullo recapped in an August 2017 article that starting August 28, 2017, banks, insurance companies, and other financial services institutions regulated by DFS are required to have:

  • A cybersecurity program designed to protect consumers’ private data.
  • A written policy or policies that are approved by the board or a senior officer.
  • A Chief Information Security Officer to help protect data and systems.
  • Controls and plans in place to help ensure the safety and soundness of New York’s financial services industry.

On top of this, Vullo said covered entities must also begin reporting cybersecurity events to DFS through the department’s online cybersecurity portal.

Read more about the cybersecurity requirements for financial institutions.

Most notably, the regulations from the department included stricter guidelines around third-party service providers.

Under the third-party service provider policy, “Each Covered Entity shall implement written policies and procedures designed to ensure the security of Information Systems and Nonpublic Information that are accessible to, or held by, Third-Party Service Providers. Such policies and procedures shall be based on the Risk Assessment of the Covered Entity and shall address to the extent applicable.”

And as an added reminder, the NYDFS noted that an NYS cybersecurity event is reportable if it falls into at least one of the following categories:

  • The cybersecurity event impacts the covered entity and notice of it is required to be provided to any government body, self-regulatory agency or any other supervisory body.
  • The cybersecurity event has a reasonable likelihood of materially harming any material part of the normal operation(s) of the covered entity.

As stated above – as of August 28, 2017, all individuals and companies operating under a license, registration, charter, certificate, permit, accreditation or similar authorization under New York banking, insurance or financial services laws (with narrow exceptions described below) (“Covered Entity”) must now:

  • Develop a cybersecurity program and working policy;
  • Designate a Chief Information Security Officer (“CISO”);
  • Limit who has access to data or systems, use qualified cybersecurity personnel to manage NYS cybersecurity risks;
  • Notify the DFS of a cybersecurity event within 72 hours, and
  • Have a written incident response plan.

The details of each of the aforementioned requirements are described below. Compliance with these requirements must be certified by a Senior Officer or the board of directors of the Covered Entity no later than February 15, 2018.

NYS Cybersecurity Program Provisos

Each Covered Entity must establish and maintain an NYS cybersecurity program, based on the Covered Entity’s risk assessment, designed to protect the confidentiality, integrity, and availability of the Covered Entity’s information systems. Note that while Covered Entities are not required to complete the risk assessment until March 1, 2018, the cybersecurity program (and certain other requirements such as NYS cybersecurity policy and access privileges) needs to be implemented so Covered Entities need to complete a reasonable risk assessment in order to demonstrate clear compliance with those other requirements.

The compliance program must: (i) identify and assess internal and external cybersecurity risks; (ii) use defensive infrastructure to protect information systems and Nonpublic Information stored on such systems; (iii) detect cybersecurity events (which include both successful and unsuccessful attempts to gain unauthorized access to, disrupt or misuse an Information System or information stored on it); (iv) respond to detected cybersecurity events to mitigate any negative effects; (v) recover from cybersecurity events and restore normal operations and services; and (vi) fulfill applicable regulatory reporting obligations.

NYS Cybersecurity Policy Provisos

Each Covered Entity must implement and maintain an NYS cybersecurity policy based on the Covered Entity’s risk assessment and approved by a Senior Officer or the board of directors. The Policy must address the following areas to the extent applicable to the Covered Entity’s operations: (i) information security; (ii) data governance and classification; (iii) asset inventory and device management; (iv) access controls and identity management; (v) business continuity and disaster recovery planning and resources; (vi) systems operations and availability concerns; (vii) systems and network security; (viii) systems and network monitoring; (ix) systems and application development and quality assurance; (x) physical security and environmental controls; (xi) customer data privacy; (xii) vendor and Third Party Service Provider management; (xiii) risk assessment; and (xiv) incident response.

Chief Information Security Officer

Each Covered Entity must designate a qualified individual to oversee and implement the cybersecurity program and enforce the cybersecurity policy (i.e., a Chief Information Security Officer or CISO). If the CISO is a Third-Party Service Provider, the Covered Entity retains responsibility for compliance and must (i) designate a senior personnel member to direct and oversee the Third-Party Service Provider and (ii) require the Third Party Service Provider to maintain a cybersecurity program. Beginning March 2018, the CISO will also have to submit a written report on the NYS cybersecurity program and material cybersecurity risks at least annually to the board of directors or equivalent governing body.

Access Privileges

Based on the Covered Entity’s risk assessment, each Covered Entity must limit user access privileges to information systems that provide access to Non-public Information and must periodically review such access privileges.

Cybersecurity Personnel and Intelligence

Each Covered Entity must utilize qualified cybersecurity personnel of the Covered Entity, an Affiliate or a Third-Party Service Provider that will: (i) manage cybersecurity risks and (ii) perform or oversee the performance of core cybersecurity functions. The Covered Entity must provide the cybersecurity personnel with cybersecurity updates and training.

Incident Response Plan

Each Covered Entity must have a written incident response plan that is designed to promptly respond to, and enable recovery from, any material cybersecurity event and addresses: (i) internal processes for responding to a cybersecurity event; (ii) the goals of the incident response plan; (iii) the definition of clear roles, responsibilities and levels of decision-making authority; (iv) external and internal communications and information sharing; (v) identification of requirements for the remediation of any identified weaknesses in information systems and associated controls; (vi) documentation and reporting regarding cybersecurity events and related incident response activities; and (vii) the evaluation and revision as necessary of the incident response plan following a cybersecurity incident.

Notices to Superintendent

Each Covered Entity must notify NY’s Superintendent of Financial Services within 72 hours of a NYS cybersecurity event that either (i) impacts the Covered Entity of which notice is required to be provided to any government body, self-regulatory agency or any other supervisory body; or (ii) has a reasonable likelihood of materially harming any material part of the normal operation(s) of the Covered Entity.

These requirements will likely have the most significant impact on smaller, local banks and insurers that, unlike larger financial institutions that are already subject to the Gramm-Leach-Bliley Act and devote immense resources to cybersecurity efforts, will now need to bring their NYS cybersecurity programs up to the minimum standards established in the Regulations.

Other Key Deadlines

Covered Entities will have additional transitional periods to comply with certain provisions, specifically: (i) until March 1, 2018 to comply with the requirements relating to the CISO’s first written report, penetration testing and vulnerability assessments, risk assessment, multi-factor authentication and cybersecurity awareness training, (ii) until September 1, 2018 to comply with the requirements relating to audit trails, application security, limitations on data retention, monitoring the activity of authorized users and encryption and (iii) until March 1, 2019 to comply with the requirements relating to third-party service provider security policies.

Key Takeaways

The Regulations reflect a growing global concern for promoting cybersecurity and protecting personal data.

  • Within the United States, we expect that more states will follow the lead of New York and Colorado in passing their own cybersecurity rules. Coupled with potential federal regulations for financial institutions, these legislative measures would collectively create a complex web of regulations for entities that operate across state borders. Entities will need to expend considerable resources to determine which rules cover their operations and to ensure compliance with the substantive and reporting obligations.
  • The best possible outcome of the likely expansion of these rules to other U.S. jurisdictions, given the breadth of the cybersecurity measures adopted or proposed thus far, is that they will be similar in all materials respects to the Regulations, and that the federal regulations will include high-level guidance or broad standards rather than specific prescriptive requirements (unless these are consistent with the Regulations).
  • Such consistency (and, possibly, a certain level of harmonization) will make compliance less burdensome on regulated entities and pertinent third-party service providers that serve such regulated entities. (Of course, if the state-by-state data breach notification laws are any guide, each jurisdiction is likely to impose its own specific set of rules that often differ in substantial ways from each other). Moreover, we can safely assume that additional measures will be adopted in the coming months in other non-U.S. jurisdictions as well.
  • Finally, it’s important to bear in mind that despite the costs associated with complying with an array of regulations, the various rules create a benchmark for proper cybersecurity practices. Cyberattacks and personal data loss present substantial risks to the operations for all entities, and the likelihood of follow-on civil and regulatory litigation is substantial. As such, at a minimum, all organizations, even organizations not subject to any of the aforementioned regulations, should consider any cybersecurity rules and standards as indicators of what may be considered best practices; adopting a NYS cybersecurity program consistent with these requirements can help reduce that regulatory and civil litigation exposure, while also protecting the operations and reputation of the business.

Let Krantz Secure Technologies guide you to complete and ongoing DFS-compliant NYS cybersecurity readiness – call us at (212) 286-0325 or email us at sales@KrantzSecure.com for more information on how to get our four decades of IT expertise working for you!

Call Now! (212) 286-0325

Looking for the very best in network services in New York City? Call Krantz Secure Technologies today to speak with one of our business technology specialists.