09 April 2019

Are you aware of the NYDFS Cybersecurity Regulation?

If your organisation is in the financial services industry and has a New York presence, then you should have heard of the NYDFS cybersecurity regulation. This blog takes you through the new set of cybersecurity regulations that this government department is currently implementing, including how it will affect your organisation and what you can do to comply.

What is the NYDFS Cybersecurity Regulation and who is affected?

In February 2017, the New York State Department of Financial Services (NYDFS) released a new set of cybersecurity regulations which require all financial institutes to abide by to protect themselves from cyber-attacks. This affects:

  • Banks (including foreign banks licensed to operate in New York)
  • Mortgage companies
  • Insurance companies
  • Service providers
  • Private bankers

As long as the covered entities are licensed in the state of New York, they have to comply with the regulation, including their third parties. The only exemptions of the regulations are companies with 10 or less employees, produce less than $5 million in gross annual revenue from New York operations in the past three years, or hold less than $1 million in year-end total assets.

What are the requirements of the NYDFS cybersecurity regulation?

There are four phases:

Phase One: The Basics
Effective since February 15th 2018. It required entities to apply a cybersecurity policy, designate a CISO (Chief information security officer) and establish response plans, including a plan for notifying of breaches within 72 hours.

Phase Two: Reporting Procedures
Effective since March 1st 2018, CISOs should have annual reports covering the organisation’s information security policies and procedures, the effectiveness of its cybersecurity efforts and any potential security risks.

Phase Three: Cybersecurity Programme Development
Effective since March 1st 2019, covered entities must have a cybersecurity programme in place that includes:

  • An audit trail showing the response to cybersecurity events (for five years)
  • Written procedures, guidelines and standards to prove secure practices on in-house applications and testing of external applications
  • Policies for the disposal of non-public personal information
  • Proof of the implementation of security controls

Phase Four: Securing Third Parties

  • Risk assessment of third-party service providers
  • Your security requirements of third-party service providers to meet your own compliance standards
  • Processes for evaluating the effectiveness of a third-party service provider’s security practices
  • Periodic assessments of third-party policies and controls

Summary of NYDFS regulation requirements:

What are the consequences if the NYDFS cybersecurity regulation is violated?

The regulation fines for violation are likely to be confirmed later in 2019. If organisations are found to be non-compliant with the NYDFS cybersecurity regulation, their violations and fine are likely to become published publicly.

Why has this law been devised?

The financial industry has a history of damaging cyber-attacks and data breaches. The NYDFS believe that, to keep up with the rapidly evolving landscape, the regulation is required to protect customers and organisations from cybercrime.

According to industry research, the financial service sectors were attacked by hackers more so than any other industry in 2016. Over 200 million financial records were breached in that year, a 937% rise from 2015.

How can IRM help my organisation comply with the regulation?

As a cybersecurity consultancy who has operated globally for over 20 years, Information Risk Management (IRM) are in great position to help financial organisations gain and maintain compliance with the NYDFS cybersecurity regulation.

Assigning a CISO – If you are struggling to assign a CISO in your organisation, we have an Executive Security Talent service. This allows us to place one of our talented consultants in your CISO position until your fill it. This ensures your organisation is protected and can continue to develop its cyber-strategy.

Reporting procedures – Our SYNERGi Governance, Risk and Compliance (GRC) platform allows our clients to gain full visibility of their cyber risks across their information security policies and procedures.

The GRC platform allows you to upload standard framework libraries (such as NIST, data protection and ISO 27001) as well as your own bespoke company policies.

Once your security policies are uploaded and linked to different business areas and activities, the SYNERGi dashboards highlight your key risk areas. This single source of visibility provides CISOs with the information they need to apply business changes to manage cyber risk.

Developing cyber programmes – IRM’s risk management consultants can help identify your key data assets, value them, assess the threat and apply a pragmatic risk reduction strategy to defend them appropriately.

This process supports the NYDFS cybersecurity regulation by ensuring you have sufficient practices in place and company-wide policies to support your objectives.

Securing Third Parties – Arguably one of the hardest requirements of the NYDFS is being able to monitor the compliance of your third parties to ensure their procedures are in line with your standards. The SYNERGi platform Vendor Management module is designed to help organisations with this challenge.

With questionnaire functionality, SYNERGi allows organisations to easily capture information from their suppliers. The platform then amalgamates the information to offer an overview of the main risks in your supply chain, helping you to decide on best-practice when it comes to choosing suppliers or helping non-compliant suppliers rectify their cyber risks.

Want to learn more?

If you want to learn more about the NYDFS cybersecurity regulation, you can visit the Department of Finance Services website.

To talk to one of the IRM team about how we can support the numerous requirements of the cybersecurity regulation, fill in our contact form or email us directly at hello@irmsecurity.com