NYDFS Cybersecurity Regulation timeline
The Cybersecurity Requirements for Financial Services Companies, released by the NYDFS (New York State Department of Financial Services), came into effect on March 1, 2017. All financial services companies that fall under NYDFS supervision are required to implement adequate information security measures. 23 NYCRR 500 is considered the first state regulation to address financial services cybersecurity.
Deadlines make information risk management a top priority
The proposal has a number of different compliance deadlines.
It is important to know what is necessary to meet compliance obligations. The NYDFS has made additions and clarifications to its FAQ regarding 23 NYCRR 500, such as when penetration testing must be completed (at least annually with bi-annual vulnerability assessments).
Deadlines you must meet
By September 3, 2018, organizations need to:
- Maintain systems designed to record and reconstruct financial transactions, with the inclusion of audit trails. Organizations are required to detect, respond to, and record cybersecurity events to support normal operations and fulfill obligations
- Write procedures, guidelines, standards, and evaluation procedures to ensure the secure in-house development of applications, and apply evaluation, assessment, and testing methods to externally developed applications
- Ensure all application security procedures, guidelines, and standards are periodically reviewed, assessed, and updated as necessary
- Write policies and procedures for the secure disposal of non-public information that no longer needs to be retained
- Implement risk-based policies, procedures, and controls to monitor authorized user activity, while detecting unauthorized access, use of, or tampering with non-public information
- Provide cybersecurity awareness training for all personnel on a regular basis, which reflects emerging technology trends and emerging risks
- Implement controls, including encryption, to protect non-public information they hold or transmit
By March 1, 2018, organizations were required to have:
- Appointed a CISO (chief information security officer)
- Begun training and monitoring personnel
- Begun regular penetration testing and vulnerability assessments
- Implemented cyber risk assessments
- Deployed multi-factor authentication
- Submitted a certificate of compliance to framework requirements
The multi-faceted Regulation – 23 NYCRR 500
Among many provisions, the Regulation requires organizations to:
- Maintain a cybersecurity policy and program
- Appoint a CISO
- Limit access privileges and periodically review these privileges
- Implement risk assessment controls and an incident response plan
- Use qualified cybersecurity personnel
- Establish a written cybersecurity incident response plan
- Adhere to a reporting timeframe to the superintendent of 72 hours, in the event of a cyber attack or breach
ISO 27001 implementation
Implementation can be challenging for organizations as there are many requirements and timelines. It is essential to take the right steps now to plan your cybersecurity program and align it with your business objectives.
You can meet your obligations and deadlines with ISO 27001, the international standard for information security.
ISO 27001 is a best-practice solution that will ensure you meet the NYDFS cybersecurity requirements. This international standard provides an ISMS (information security management system) framework that can be used to meet the Regulation’s requirements, protect and monitor information, and follow a continual improvement approach that allows your organization to keep up with evolving threats.
Learn more about ISO 27001 and the NYDFS cybersecurity requirements >>
Free green papers on the NYDFS cybersecurity requirements and ISO 27001
If you would like more information on the benefits of implementing ISO 27001 to meet the NYDFS cybersecurity requirements deadlines, we recommend you download our free green papers: NYDFS Cybersecurity Requirements – Part 1: The Regulation and the ISO 27001 standard and NYDFS Cybersecurity Requirements – Part 2: Mapped alignment with ISO 27001.
Simply click the green paper link and we will email you copies.
How IT Governance can help
IT Governance can help you gain the skills and tools to implement the ISO 27001 standard alongside the Regulation. We offer products tailored to NYDFS requirements. Find out more here >>
Speak to an expert
Please contact us for further information or to speak to an expert.