NY DFS Releases Cybersecurity Requirements for Financial Service Companies

NY DFS Releases Cybersecurity Requirements for Financial Service Companies

cybersecurity regulationsNew cybersecurity regulations are set to go into effect on March 1, and NY-based financial firms need to be prepared.

Announced  in September 2016, the new cybersecurity regulation, known as 23 NYCRR 500, was developed to “guarantee the financial services industry upholds its obligation to protect consumers and ensure that its systems are sufficiently constructed to prevent cyber-attacks to the fullest extent possible.”

23 NYCRR 500 requires each company to “assess its specific risk profile and design a program that addresses its risks in a robust fashion.”

The regulation states, “it is critical for all regulated institutions that have not yet done so to move swiftly and urgently to adopt a cybersecurity program and for all regulated entities to be subject to minimum standards with respect to their programs.”

Organizations covered by the new cybersecurity regulation include banks and trust companies, insurance companies, mortgage lenders, investment companies, brokers and other financial services providers. There are exemptions for smaller organizations, but best practices encourage firms of all sizes to adopt these policies as every organization is at risk of a devastating cyber attack.

The new cybersecurity regulatory regime will go into effect March 1, 2017. As originally proposed, there is a 180-day grace period for companies to comply.

Keep in mind that this regulation requires each company to assess its specific risk profile and design a program that addresses the risks in a robust fashion. The best approach is to meet with a competent and trusted cybersecurity advisor, such as ACE IT Solutions, to discuss a plan tailored for your organization.

Here is a general list of cybersecurity protections that firms must address in order to meet compliance requirements. Details are available here:  http://www.dfs.ny.gov/legal/regulations/proposed/rp500t.pdf

  • Cybersecurity Program –
    Each covered entity shall maintain a cybersecurity program designed to protect the confidentiality, integrity and availability of the firm’s information systems. According to 23 NYCRR 500, “Senior management must take this issue seriously and be responsible for the organization’s cybersecurity program and file an annual certification confirming compliance with these regulations.”
  • Risk Assessment –
    Each covered entity shall conduct a periodic risk assessment of the covered entity’s information systems sufficient to inform the design of the cybersecurity program as required.
  • Cybersecurity Policy –
    Each covered entity shall implement and maintain a written policy or policies, approved by a senior officer or the firm’s board of directors. ACE IT Solutions can help your firm develop cybersecurity policies that meet compliance regulations.
  • CISO – 
    Each covered entity shall designate a qualified individual responsible for overseeing and implementing the firm’s cybersecurity program and enforcing its cybersecurity policy – this individual can be an employee or a third-party service provider such as ACE IT Solutions.
  • Penetration Testing and Vulnerability Assessments – 
    The cybersecurity program for each covered entity shall include monitoring and testing, developed in accordance with the firm’s risk assessment, designed to assess the effectiveness of the firms cybersecurity program. The monitoring and testing shall include continuous monitoring or periodic penetration testing and vulnerability assessments.
  • Audit Trail – 
    Each covered entity must retain for five years, an audit trail designed to detect and respond to cybersecurity events that have a reasonable likelihood of materially harming any material part of the normal operations of the firm.
  • Access Privileges – 
    Each covered entity shall limit user access privileges to information systems that provide access to nonpublic information and shall periodically review such access privileges.
  • Cybersecurity Personnel –
    Each covered entity shall use qualified cybersecurity personnel or a third-party service provider, such as ACE IT Solutions, to manage cybersecurity risks and perform or oversee the performance of the core cybersecurity functions specified and provide cybersecurity personnel with cybersecurity updates and training sufficient to address relevant cybersecurity risks.
  • Third-party – 
    Each covered entity shall implement written policies and procedures designed to ensure the security of information systems and nonpublic information that are accessible to, or held by, third party service providers.
  • Multi-factor Authentication (MFA) – 
    Each covered entity shall use effective controls, which may include multi-factor authentication or risk-based authentication, to protect against unauthorized access to nonpublic information or information systems
  • Data Retention –
    Covered entities must have policies and procedures for securely disposing of “non-public information” on a periodic basis.
  • Training and Monitoring –
    In addition to written cybersecurity policies and procedures, each entity shall provide for regular cybersecurity awareness training for all personnel.
  • Encryption –
    Each covered entity shall implement controls, including encryption, to protect nonpublic Information held or transmitted by the firm both in transit over external networks and at rest.
  • Incident Response Plan –
    Each covered entity shall establish a written incident response plan designed to promptly respond to, and recover from, any cybersecurity event materially affecting the confidentiality, integrity or availability of the firm’s information systems or the continuing functionality of any aspect of the firm’s business or operations.
  • Notification –
    Covered entities must notify the Department of Financial Services within 72 hours of making a determination that a cybersecurity event of the following types has occurred: (1) a cybersecurity event that has a reasonable likelihood of materially “harming” the normal operations of the covered Entity and (2) a cybersecurity event that requires notice to be provided to any governmental or supervisory body or self-regulatory agency.

ACE IT Solutions can help your board members or senior officers understand the key components of these regulations and create a framework for reviewing a cybersecurity policy. We can also help your firm execute the regulations so that your firm will remain secure and stay in compliance.

Contact us to discuss how 23 NYCRR 500 affects your firm.

  • This field is for validation purposes and should be left unchanged.

View the comprehensive list of requirements here: http://www.dfs.ny.gov/legal/regulations/proposed/rp500t.pdf