NYDFS cybersecurity: 180-day transition

Many New York financial companies will soon feel the pressure to update their cybersecurity program to comply with the Department of Financial Service’s (DFS) Cybersecurity Requirements for Financial Services Companies. With all the areas to be covered inside the 180-day transition window, meeting deadlines in a practical and cost-effective way is a concern for many organizations.

180-day transition period

Under sections 500.02 and 500.03, organizations must update their cybersecurity policy and program by the end of this year. Organizations should conduct a risk assessment to get a clear picture of their information systems and vulnerabilities. Having this valuable information will help determine correct measures and controls to implement as part of their cybersecurity program.

Note: Neither this section nor that on risk assessments (500.09) outline a specific set of requirements or a particular risk assessment procedure. Therefore, organizations are free to develop one that aligns with their objectives.

Section 500.03 covers a variety of areas and specifies that policy should be customized to the organization’s risk assessment results. Requirements include:

  1. Information security
  2. Data governance and classification
  3. Asset inventory and device management
  4. Access controls and identity management
  5. Business continuity and disaster recovery planning and resources
  6. Systems operations and availability concerns
  7. Systems and network security
  8. Systems and network monitoring
  9. Systems and application development and quality assurance
  10. Physical security and environmental controls
  11. Customer data privacy
  12. Vendor and third-party service provider management
  13. Risk assessment
  14. Incident response

Additionally, within this 180-day window, organizations must comply with the following sections:

  • 07 – Access Privileges
  • 10 – Cybersecurity Personnel and Intelligence
  • 16 – Incident Response Plan

Implement a cybersecurity policy and program cost-effectively by the deadline

IT Governance is a one-stop shop that provides all the resources you need to help ease the implementation process and complete your cybersecurity policy and program.

We recommend vsRisk™ for conducting a reliable risk assessment. This software helps you deliver an information security risk assessment quickly and easily.
Learn more about vsRisk >>

The international standard ISO 27001 can provide a cost-effective and efficient solution for your cybersecurity program. This standard aligns with the NYDFS Regulation. Download our free green paper to learn more >>

IT Governance will run a series of NYDFS Cybersecurity blogs focused on the DFS requirements. Make sure you get the whole series by signing up for our