In response to the increasing cybersecurity threat posed to information and financial systems, the New York State Department of Financial Services (DFS) has passed the State of New York’s Cybersecurity Requirements for Financial Services Companies (23 NYCRR 500). This law took effect on March 1, 2017 in an effort to protect customer information, as well as the IT systems of regulated entities. The adoption timeline for the specific requirements of the regulation continues throughout 2018 and 2019.

What does this mean for you?

If you are a financial services organization licensed and/or regulated by the New York State DFS, you are now required to assess your specific security risk profile and design a program that addresses your organization’s risks, as well as file an annual certification that confirms you are in compliance with the regulations.

What are the requirements?

The complete list of requirements can be found here, but here is a partial list:

  • Implement a cybersecurity program that can:
    • Identify and assess internal and external cybersecurity risks
    • Detect and respond to cybersecurity events
    • Fulfill applicable regulatory reporting obligations
  • Designate a Chief Information Security Officer (CISO) and utilize qualified cybersecurity personnel (may be from a third party service provider)
  • Continuous monitoring or periodic penetration testing and vulnerability assessments
  • Provide and require all personnel attend regular cybersecurity awareness training
  • Secure applications by ensuring the use of secure development practices for in-house developed applications, and implement procedures for assessing and testing the security of all externally developed applications
  • Assess risk to non-public information and information systems accessible or held by third parties, and conduct third-party security assessments at least annually
  • Implement controls, including encryption, to protect non-public data in transit and at rest
  • Establish an incident response plan