The New York State Department of Financial Services (NYDFS) requires financial organizations to implement specific cybersecurity assurances to their systems.
In February 2017, the NYDFS issued a new cybersecurity regulation for banks, insurance companies, and other financial institutions.
According to the NYDFS, the regulation covers all entities operating under or required to operate under DFS licensure, registration, or charter, or which are otherwise DFS-regulated, as well as, by extension, unregulated third-party service providers to regulated entities.
Organizations That Are Required By Law To Comply:
- State-chartered banks
- Licensed lenders
- Private bankers
- Foreign banks licensed to operate in New York
- Service contract providers
- Trust companies
- Mortgage companies
- Any insurance company doing business in New York
*Financial services firms with fewer than 10 employees, less than $5 million in gross annual revenue for three years, or less than $10 million in year-end total assets are exempt. Exemptions: (1) fewer than 10 employees, including any independent contractors, of the Covered Entity or its Affiliates located in New York or responsible for business of the Covered Entity, or (2) less than $5,000,000 in gross annual revenue in each of the last three fiscal years from New York business operations of the Covered Entity and its Affiliates, or (3) less than $10,000,000 in year-end total assets, calculated in accordance with generally accepted accounting principles, including assets of all Affiliates, shall be exempt from the requirements of sections 500.04, 500.05, 500.06, 500.08, 500.10, 500.12, 500.14, 500.15, and 500.16 of this Part.
Cybersecurity Requirements by Law
These regulations* go beyond federal requirements in many important areas.
- Implement a cybersecurity program
- Identify and assess internal/external cybersecurity risks
- Use defensive infrastructure
- Implementation of policies and procedures
- Detect cybersecurity events
- Respond to identified or detected cybersecurity events
- Recover from cybersecurity events
- Restore normal operations and services
- Written procedures, guidelines, and standards
- Implement and maintain a written policy or policies
- Appoint a CISO who must update your board (in-house or third-party)
- Continuous monitoring or periodic penetration testing and vulnerability assessments
- Notify regulators of breaches within 72 hours of incident
- Maintain audit trails for five years
- Periodic risk assessment
- Ensure the security of third party service providers
- Use multi-factor authentication or alternative access controls
- Training and monitoring the activity of privileged users
- Encryption of nonpublic information
- Establish an incident response plan
- Protect all nonpublic information
- Destroy nonpublic information periodically and securely
- Certify regulatory compliance annually