About the New York State Department of Financial Services Cybersecurity Regulation

About the New York State Department of Financial Services Cybersecurity Regulation                                What is this all about?

Effective March 1, 2017, the NY Superintendent of Financial Services promulgated 23 NYCRR Part 500, a regulation establishing cybersecurity requirements for financial services companies. All regulated entities and licensed persons covered by the NY Department of Financial Services (DFS) cybersecurity regulation need to ensure that the first certification of compliance is submitted on or before February 15, 2018.  The certification should be filed as of December 31, 2017 and should cover all the provisions of the regulation that were in effect as of that date. This certification must be filed electronically via the DFS cybersecurity portal on or before February 15, 2018.

As of the first implementation deadline of August 28, 2017, all banks, insurance companies, and other financial services institutions and licensees regulated by DFS are required to have a cybersecurity program in place that is designed to protect consumers’ private data; a written policy or policies that are approved by the board or a senior officer; a Chief Information Security Officer to help protect data and systems; and controls and plans in place to help ensure the safety and soundness of New York’s financial services industry. 

The goal of DFS’s regulation is to have a robust risk based program that prevents cybersecurity attacks. Regulated entities and persons must also report cybersecurity events to DFS through the Department’s secure online cybersecurity portal. The DFS web portal also contains a copy of the cybersecurity regulation and a set of frequently asked questions. The DFS compliance certification is a critical governance pillar for the cybersecurity program of DFS regulated entities and the DFS cybersecurity portal will allow the safe and secure reporting of these certifications.

The Regulation requires Covered Entities to have a plan in place that provides for Penetration Testing to be done as appropriate to address the risks of the Covered Entity. Such plan must encompass Penetration Testing at least annually and bi-annual vulnerability assessments, but the first annual Penetration Testing and first vulnerability assessment need not have been concluded before March 1, 2018 under Section 500.05. The Department expects all institutions with no continuous monitoring to complete robust Penetration Testing and vulnerability assessment in a timely manner as they are a crucial component of a cybersecurity program.

So, how can WHOA help?

Whoa offers various options for entities to meet parts of the NY regulation, including vCISO offerings, vulnerability assessments, penetration testing (https://www.whoa.com/penetration-testing/ ) , and compliance-as-a-service packages (https://www.whoa.com/security/)

For more information or to speak with a WHOA.com compliance specialist, call 877-700-WHOA x796