The Cybersecurity Requirements for Financial Services Companies, released by the NYDFS (New York State Department of Financial Services), came into effect on March 1, 2017.
All financial services companies that fall under NYDFS supervision are required to implement adequate information security measures. 23 NYCRR 500 is considered the first state regulation to address financial services cybersecurity.
Deadlines make information risk management a top priority
The proposal has a number of different compliance deadlines. It is important to know what is necessary to meet compliance obligations.
The NYDFS has made additions and clarifications to its FAQ regarding 23 NYCRR 500, such as when penetration testing must be completed (at least annually with bi-annual vulnerability assessments).
Deadlines you must have met
By March 1, 2018, organizations were required to have:
- Appointed a CISO (chief information security officer)
- Begun training and monitoring personnel
- Begun regular penetration testing and vulnerability assessments
- Implemented cyber risk assessments
- Deployed multi-factor authentication
- Submitted a certificate of compliance to framework requirements
By September 3, 2018, organizations were required to:
- Maintain systems designed to record and reconstruct financial transactions, with the inclusion of audit trails. Organizations are required to detect, respond to, and record cybersecurity events to support normal operations and fulfill obligations
- Write procedures, guidelines, standards, and evaluation procedures to ensure the secure in-house development of applications, and apply evaluation, assessment, and testing methods to externally developed applications
- Ensure all application security procedures, guidelines, and standards are periodically reviewed, assessed, and updated as necessary
- Write policies and procedures for the secure disposal of non-public information that no longer needs to be retained
- Implement risk-based policies, procedures, and controls to monitor authorized user activity, while detecting unauthorized access, use of, or tampering with non-public information
- Provide cybersecurity awareness training for all personnel on a regular basis, which reflects emerging technology trends and emerging risks
- Implement controls, including encryption, to protect non-public information they hold or transmit
By March 1, 2019, organizations were required to:
- Maintain a cybersecurity program
- Implement and maintain a cybersecurity policy
- Report to the board of directors in writing on the cybersecurity program at least annually
- Limit and periodically review user access privileges
- Use qualified cybersecurity personnel
- Implement written policies and procedures designed to ensure the security of information systems and non-public information
- Establish a written incident response plan designed to ensure prompt response to and recovery from cybersecurity incidents
- Notify the superintendent as promptly as possible, but no later than 72 hours, about a cybersecurity event after discovery
- Submit an annual written statement covering the previous calendar year
ISO 27001 implementation and the NYDFS
Meeting the NYDFS’s requirements by the deadlines set can be challenging for organizations. It is essential to take the right steps now to plan your cybersecurity program and align it with your business objectives.
You can meet your obligations and deadlines with ISO 27001, the international standard outlining the specification for a best-practice ISMS (information security management system). Such a management system is an effective way to meet the Regulation’s requirements, protect and monitor information, and implement continual improvement processes, helping your organization keep up with ever-evolving cyber threats.
Learn more about ISO 27001 and the NYDFS cybersecurity requirements with our free green paper >>