August 28 marks the first set of compliance deadlines for the New York Department of Financial Services (NYDFS) Cybersecurity Requirements. Among the requirements organizations must follow is the need to report data breaches within 72 hours of their discovery. This is a drastic strengthening of current notification requirements. Most states’ legislation, including New York’s, doesn’t specify a time limit for notification, only that breaches must be reported “without unreasonable delay.”
Organizations covered by the NYDFS will also have to meet other requirements by August 28.
Some may be exempt from one or more set of requirements. The NYDFS breaks down the circumstances for exemption into nine types of entities that fall into five categories.
When do I need to notify?
The NYDFS sets out two scenarios under which covered entities need to report data breaches:
- When the cybersecurity event has a reasonable likelihood of materially harming any material part of the normal operation(s) of the covered entity.
- When the cybersecurity event triggers a separate obligation of the company to report to a government body, self-regulatory agency, or any other supervisory body.
The Cybersecurity Requirements also mandate that covered entities submit a written statement to the NYDFS each year to certify that they have complied with this rule. Organizations must also maintain “all records, schedules and data supporting this certificate for a period of five years.”
To help manage breach notifications, the NYDFS has launched an online portal to transmit breach reports in real time.
In a press release, the department’s superintendent, Maria T. Vullo, said: “The DFS cyber portal will allow New York’s financial institutions to quickly, easily, and securely report cybersecurity events and file required certifications of compliance, ensuring that the necessary safeguards are in place to protect New York consumers and financial institutions as the threat of cyber-attacks continues to increase.”
Resources to help you implement the Cybersecurity Requirements
IT Governance offers a number of free resources to help you with your NYDFS Cybersecurity Requirements project.
A good place to start is our two-part green paper, which shows you how ISO 27001 can be used as a framework to help you comply with the Regulation. Once you’ve downloaded NYDFS Cybersecurity Requirements – Part 1: The Regulation and the ISO 27001 standard, you’ll receive part two, which details how ISO 27001 provides additional controls to strengthen your cybersecurity posture.
You may also be interested in registering for our next webinar: Data privacy, security measures, and managing third-party service providers to meet compliance requirements.
The webinar will be delivered on August 17 at 1:15 pm (ET)/10:15 am (PT), and will cover an essential part of the Cybersecurity Requirements – planning controls for the encryption and disposal of non-public information, multi-factor authentication, and monitoring third parties for compliance.
If you can’t make the webinar, it will be available to download from our website, where you can also watch our past presentations.