Cyber Security Regulation
Every private and municipal entity in New York State should be asking themselves if they, or one of their partners, affiliates or service providers, are a regulated entity, or licensed person, required to comply with cyber-security regulations overseen by NYS Department of Financial Services (DFS). To determine if you, or a partner/affiliate, is supervised by DFS visit their website to find out.
DFS regulation 23 NYCRR 500 went into effect over one year ago (March 1, 2017), but certain compliance standards weren’t required to be met until February, 2018.
The implementation of this regulation, while potentially costly and cumbersome for covered entities, seems a positive and thoughtful step in the wake of significant data breaches by cyber-criminals at some of our country’s largest institutions. Protecting the personal identifying information and other sensitive data that many banks, insurance carriers/agents/brokers, financial service providers, and others collect and retain has become a necessity, not an expectation.
The regulation is designed to, “promote the protection of customer information as well as the information technology systems of regulated entities.” To that end, the regulation requires covered entities to attest to compliance in the following areas:
Cybersecurity Program (must be in place)
Cybersecurity Policy (must be created, and implemented)
Chief Information Security Officer (must be designated)
Penetration Testing and Vulnerability Assessments (performed annually, and bi-annually, respectively)
Audit Trail (must be maintained)
Access Privileges (must be limited)
Application Security (must be implemented)
Risk Assessment (required to be updated regularly)
Cybersecurity Personnel and Intelligence (must be qualified and trained)
Third Party Service Provider Security Policy (must be created and adhered to)
Multi-Factor Authorization (required for accessing internal data)
Limitations on Data Retention (implementation of secure disposal procedures)
Training and Monitoring (personnel must be trained)
Incident Response Plan (required to be written and implemented)
Notices to Superintendent (all breaches, or potential breaches, must be reported promptly)
Depending on an entities size, both physically and from a revenue perspective, some organizations may be exempt from some sections of this regulation. However, all covered entities are required to report to the DFS their compliance with the regulation.