What You Need To Know About The NYDFS Cybersecurity Requirements
Following on the heels of the EU’s implementation of the General Data Protection Regulation (GDPR), the state of New York has enacted its own set of information security regulations, with the goal of forcing businesses to reduce risks to sensitive data. The New York Department of Financial Services (NYDFS) Cybersecurity Requirements affect all financial services companies with clients, offices, or doing business in the state of New York. The NYDFS regulation requires some significant changes to how many companies handle data security. Though the requirements technically went into effect in March of 2017, the NYDFS provided companies with rolling deadlines and a grace period, extending the deadline to file compliance certificates to February 15, 2018. After this date, the NYDFS will begin conducting audits. The requirements themselves are heavy on both legal and technical terminology, so we put together a simple overview to get you started. If you want an interactive TLDR, we've also put together a quiz to help gauge your company's preparedness.
What type of companies need to meet the NYDFS Cybersecurity Requirements?
We recommend retaining an attorney that specializes in cybersecurity to determine without a doubt whether or not your business needs to meet the requirements. However, as a general rule, if your company provides any type of financial services- lending, investing, banking, or insurance- and you have employees or clients in the state of New York, you are most likely subject to the NYDFS regulation. Even if your company is not required by law to meet the regulations, the requirements provide an excellent cybersecurity framework for any organization that wants to take defending their data more seriously.
What does my company need to have in place?
All financial services companies doing significant business in the state of New York will need to have a comprehensive cybersecurity program that is designed to identify risks (both internal and external) that may threaten the security or integrity of Nonpublic Information stored on the company’s Information Systems. To be compliant with the NYDFS Cybersecurity Requirements, companies must:
Conduct Periodic Risk Assessments
A Risk Assessment identifies and documents a company’s asset vulnerabilities as well as potential internal and external threats to its network. It also outlines what actions a company will take to mitigate or accept potential risks. Under the NYDFS Cybersecurity Requirements, Risk Assessments must be documented, and be revised periodically to keep up with technological developments and newly evolving threats.
Adopt a Written Cybersecurity Policy
Under the NYDFS regulations, all companies must have a written cybersecurity policy in place. Some of the key issues that a written policy must addresses are: data governance and classification; asset inventory and device management; business continuity and disaster recovery planning; systems and network monitoring; and incident response. This policy must also address third-party cyber risks, meaning companies must take responsibility not just for their own employees, but also for vendors and contractors who have access to sensitive information.
Designate a CISO
A Chief Information Security Officer (CISO) oversees a company’s Information Security program, and ensures that sensitive data is only accessible to those who need it. They define and implement risk management frameworks and ensure that security requirements are met. Companies who are bound to the NYDFS requirements should probably consider hiring a CISO as one of their first steps toward compliance, as the CISO will be able to lead the implementation of the other requirements. Businesses looking for a simple solution can look into hiring a virtual CISO, which offers the same level of expertise without the expenses and hassles of expanding the C-suite.
“Hiring a virtual CISO was the easiest business decision I’ve ever made- they took the guesswork out of maintaining our cybersecurity policy and I am now confident we are doing everything we can to protect our client’s data.” -CEO of a large Insurance Corporation
Establish a Written Incident Response Plan
An incident response plan is a set of written instructions for detecting, responding to, and recovering from the effects of an information security event. At a minimum, the response plan must include: definition of roles, responsibilities, and levels of decision-making following a security event; external and internal communication following an event; documentation and reporting following an event; and the identification and remediation of weaknesses following an event.
Implement Cybersecurity Best Practices
Many of the NYDFS Cybersecurity Requirements are already best practices for businesses dealing with sensitive information. Under the new regulations, businesses must enable multi-factor authentication, encrypt all sensitive data, and conduct regular cybersecurity trainings based on their Risk Assessment. They must also implement either continuous network monitoring, which allows analysts to monitor potential threats as they move laterally through a network, or conduct bi-annual vulnerability assessments and annual penetration tests.
Notify the NYDFS of Any Cybersecurity Events
A cybersecurity event is defined as any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt, or misuse an electronic systems or information stored on such systems. Companies must immediately notify the superintendent of the DFS if they experience a cybersecurity event. This requirement will hopefully cut down on the number of companies attempting to cover up their data breaches, and will allow for better investigation of events.
Submit an Annual Certification of Compliance
This certification will state that a company has met all of the regulations outlined in the NYDFS Cybersecurity Requirements. Hefty fines will be levied against companies who do not meet the requirements, and legal action may be taken against individuals or companies who falsify their certification.
This is just a brief overview of the NYDFS Cybersecurity Requirements to help gauge your company’s preparedness, and not intended to replace a thorough cybersecurity assessment or legal counsel. We have helped many companies navigate these and other cybersecurity regulations, and are happy to take an in-depth look at your company’s security program. If you would like to schedule a consultation about how the NYDFS Cybersecurity requirements may affect your business, and what steps you need to take towards compliance, contact us.