What is the NYDFS Cybersecurity Regulation?
The New York State Department of Financial Services (NYDFS) Cybersecurity Requirements for Financial Services Companies came into effect on March 1, 2017, with mandatory certification reporting commencing from February 15, 2018.
The primary objective of the Regulation is to protect the confidentiality, integrity, and availability of a company’s information systems and nonpublic information.
The new protections demonstrate how New York State is tightening its cybersecurity regulations to protect consumer data.
NYDFS Cybersecurity Regulation outline
The Cybersecurity Requirements outline a series of arrangements and measures that covered entities should implement in order to mitigate cybersecurity risks and respond effectively to data breaches, thereby minimizing the negative consequences of an incident.
The Regulation “requires each company to assess its specific risk profile and design a program that addresses its risks in a robust fashion.” It is made up of the following sections:
- Section 500.00 Introduction
- Section 500.01 Definitions.
- Section 500.02 Cybersecurity Program.
- Section 500.03 Cybersecurity Policy.
- Section 500.04 Chief Information Security Officer.
- Section 500.05 Penetration Testing and Vulnerability Assessments.
- Section 500.06 Audit Trail.
- Section 500.07 Access Privileges
- Section 500.08 Application Security.
- Section 500.09 Risk Assessment
- Section 500.10 Cybersecurity Personnel and Intelligence
- Section 500.11 Third Party Service Provider Security Policy.
- Section 500.12 Multi-Factor Authentication.
- Section 500.13 Limitations on Data Retention.
- Section 500.14 Training and Monitoring.
- Section 500.15 Encryption of Nonpublic Information.
- Section 500.16 Incident Response Plan.
- Section 500.17 Notices to Superintendent.
- Section 500.18 Confidentiality.
- Section 500.19 Exemptions.
- Section 500.20 Enforcement.
- Section 500.21 Effective Date.
- Section 500.22 Transitional Periods.
- Section 500.23 Severability.
Who does the NYDFS Cybersecurity Regulation apply to?
The requirements apply to all companies conducting business in New York that are required to operate “under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law” of New York. This includes:
- Large and small state-chartered and private banks
- Foreign banks licensed to operate in New York
- Insurance companies
- New York licensed lenders
- Mortgage companies
It is also reasonable to expect that many covered entities will require some of their suppliers and service providers to meet key requirements to provide third-party assurances (notably under Section 500.11).
NYDFS Cybersecurity Regulation exemptions
A limited number of exemptions are in place for smaller organizations:
- Organizations that employ fewer than 10 people
- Organizations that produced less than $5 million in gross annual revenue from New York operations in the past 3 years
- Organizations that hold less than $10 million in year-end total assets
Organizations that fall within the above categories, are exempt from sections 500.04, 500.05, 500.06, 500.08, 500.10, 500.12, 500.14, 500.15, and 500.16.
Regardless of the exemptions, it would be sensible to apply many of the same conditions for the simple reason that a cyber attack is likely to be more critically damaging to a small operation.