The New York Department of Financial Services (NYDFS) Cybersecurity Regulation came into effect on March 1,2017. Among the requirements organizations must follow is the need to report data breaches within 72 hours of their discovery. This is a drastic strengthening of previous notification requirements. Most states’ legislation, including New York’s, doesn’t specify a time limit for notification, only that breaches must be reported “without unreasonable delay.”
Organizations covered by the NYDFS will also have to meet other requirements.
Some may be exempt from one or more set of requirements. The NYDFS breaks down the circumstances for exemption into nine types of entities that fall into five categories.
When do I need to notify?
The NYDFS sets out two scenarios under which covered entities need to report data breaches:
- When the cybersecurity event has a reasonable likelihood of materially harming any material part of the normal operation(s) of the covered entity.
- When the cybersecurity event triggers a separate obligation of the company to report to a government body, self-regulatory agency, or any other supervisory body.
The Cybersecurity Requirements also mandate that covered entities submit a written statement to the NYDFS each year to certify that they have complied with this rule. Organizations must also maintain “all records, schedules and data supporting this certificate for a period of five years.”
To help manage breach notifications, the NYDFS has launched an online portal to transmit breach reports in real time.
In a press release, the department’s superintendent, Maria T. Vullo, said: “The DFS cyber portal will allow New York’s financial institutions to quickly, easily, and securely report cybersecurity events and file required certifications of compliance, ensuring that the necessary safeguards are in place to protect New York consumers and financial institutions as the threat of cyber-attacks continues to increase.”
Resources to help you implement the Cybersecurity Requirements
IT Governance offers a number of free resources to help you with your NYDFS Cybersecurity Requirements project.
A good place to start is our two-part green paper, which shows you how ISO 27001 can be used as a framework to help you comply with the Regulation. Once you’ve downloaded NYDFS Cybersecurity Requirements – Part 1: The Regulation and the ISO 27001 standard, you’ll receive part two, which details how ISO 27001 provides additional controls to strengthen your cybersecurity posture.
You may also be interested in our NYDFS webinar series.
This series covers the essential parts of the Cybersecurity Requirements – planning controls for the encryption and disposal of non-public information, multi-factor authentication, and monitoring third parties for compliance.