Answers to your questions on the NYDFS Cybersecurity Requirements

Following the first run of our NYDFS Cybersecurity Requirements webinar series, we have complied a selection of the questions asked by participants.

In this post, IT Governance’s founder and executive chairman, Alan Calder, answers those questions and provides further clarification on how ISO 27001 can provide the framework to help integrate your existing compliance obligations with the NYDFS Cybersecurity Requirements.

When did the Regulation start? How soon does compliance have to be met?
The Regulation came into force on March 1, 2017 and the deadline for reporting to the Superintendent is February 15, 2018. However, there are staggered deadlines for many sets of requirements. Find more information on the deadlines and requirements in our free green paper >>

Is the legislation available online? Could you share the link to it?
The 23 NYCRR 500 is available on the NYDFS website.

Which market verticals does the legislation apply to?
All New York financial entities regulated by the NYDFS must comply with the legislation. You can visit the NYDFS website to check if you fall under its supervision.

Where does NIST differ from ISO 27001 and how does it relate to this legislation?
NIST publishes a series of standards, guidelines, and cybersecurity frameworks. However, it does not have a certification option like ISO 27001. NIST guidelines can be deployed alongside ISO 27001. This best-practice standard allows an organization to use risk assessment methodologies and controls that are appropriate to its sector or jurisdiction. ISO 27001 provides an independent framework in which an independent certification audit can be carried out.

Do you see any conflicts with existing regulatory requirements in the PCI DSS, NIST, or HIPAA?
Yes, there are conflicts and organizations will need to make sure that their processes meet multiple compliance requirements. One of the strengths of ISO 27001 is that it focuses on the core of cybersecurity: the confidentiality, integrity, and availability of information. It’s possible to map the control requirements of the PCI DSS, NIST and HIPPA to the Annex A controls of ISO 27001. This Standard provides a strong cybersecurity framework to help you complete an integrated management system to meet all of your compliance obligations.

Are there other states with similar legislation?
Yes, other states have cybersecurity regulations, but none that apply solely to the financial sector. Massachusetts mandates that anyone engaged in commerce, and who handles and retains individuals’ personal data, must comply with the 201 CMR 17.00 standards.

In Section 500.06 Audit Trail, what is your take on the wording “materially harming any material part of the normal operations”? What isn’t materially important for attempted and/or successful cybersecurity event logs?
The Regulation is a law and should be treated as such. The meaning of legal terms is normally defined, in the end, by a legal court. It’s in your best interest to get advice from your legal counsel on how a term, such as “materially harming”, is defined. When seeking legal advice, we recommend that you get explanations of terms provided in writing. In the long run, this will save on the costs of having counsel look through the Regulation. Normally, “materially harming” is defined as anything having an impact on operations, and will be determined by the size of the organisation, and the extent to which confidentiality, integrity, and availability have been harmed.

For all those that missed the webinars the first time around, we’re re-running the series. Please join us for the first webinar of this four-part series on May 25th.
Get all your questions answered and learn more about the NYDFS Cybersecurity Requirements and ISO 27001.

Webinar 1: NY State’s Department of Financial Services cybersecurity regulation: How to meet requirements within deadlinesDate: May 25, 2017 | Time: 10:15 – 11:00 am (PDT), 1:15 – 2:00 pm (EDT)

Register here >>