Financial services companies subject to NYDFS' Cybersecurity Regulation only have another month until the deadline to file a second annual Certification of Compliance for calendar year 2018.
Covered entities need to ensure that they’ve applied the effective requirements outlined by the New York State Department of Financial Services' (NYDFS) Cybersecurity Regulation (23 NYCRR 500) by February 15, 2019.
The law requires financial services companies implement a framework to better protect consumer data privacy. The regulation went into effect on March 1, 2017 but a two year transitional period enacted around the law ends this year in March.
Specifically covered entities need to certify compliance with the 23 NYCRR 500.04(b), 500.05, 500.06, 500.08, 500.09, 500.12, 500.13, 500.14 and 500.15 requirements:
- Section 500.04(b) Chief Information Security Officer - The CISO of each covered entity must report in writing at least annually to the board of directors on its cybersecurity program and material risks.
- Section 500.05 Penetration Testing and Vulnerability Assessments - Covered entities must have a cybersecurity program in place in which annual penetration testing and vulnerability assessments are performed.
- Section 500.06 Audit Trail - Covered entities need to maintain systems that are designed to reconstruct material financial transactions sufficient to support normal operations, include audit trails, maintain records as stipulated by NYCRR.
- Section 500.08 Application Security - Covered entities need to have procedures, guidelines and standards around in-house applications. These need to be periodically reviewed by the CISO.
- Section 500.09 Risk Assessment - Covered entities need to conduct a periodic risk assessment of their information systems.
- Section 500.12 Multi-Factor Authentication - Covered entities need to use effective controls, like multi-factor authentication or risk-based authentication to protect against unauthorized access to nonpublic information
- Section 500.13 Limitations on Data Retention - Covered entities need to policies and procedures for the secure disposal on a periodic basis of any Nonpublic Information
- Section 500.14 Training and Monitoring - Covered entities need to implement risk-based policies procedures and controls designed to monitor the activity of Authorized Users and detect unauthorized access or use of, or tampering with, Nonpublic Information by such Authorized Users. The requirement also stipulates covered entities need to provide regular cybersecurity awareness training for all personnel.
- Section 500.15 Encryption of Nonpublic Information – Covered entities need to implement controls, including encryption, to protect Nonpublic Information held or transmitted by the Covered Entity both in transit over external networks and at rest.
Covered entities that are entitled to an exemption need to file a Notice of Exempt status by the same date for 2019, prior to filing for an annual certification.
A second deadline is on the horizon too; by March 1, less than seven weeks away, covered entities need to make sure there are security policies in place that govern the security of third-party service providers. Also by that deadline covered entities must implement such written security policies.
Essentially covered entities need to ensure there are written policies and procedures in place to ensure that information systems and nonpublic information handled or held by third party service providers are secure. Certification of compliance around this rule (23 NYCRR 500.11) doesn’t have to be satisfied for another year, until February 15, 2020, however.
Maria Vullo, NYDFS' Superintendent sent a memorandum detailing the 2019 deadlines to all DFS regulated entities shortly before Christmas.
"As Superintendent, I have made clear that the purpose of the DFS cybersecurity regulation is to bolster the financial services industry's defenses against cybersecurity attacks, in order to protect our markets and consumers' private information," Vullo wrote, "The governance framework set forth in the regulation, along with DFS's ongoing oversight, including in regular and target examinations, are intended to assist in the bolstering of the industry's cybersecurity defenses, for the protection of industry, overall markets and consumers."
Previous deadlines imposed by NYDFS required covered entities to have both a cybersecurity program and Chief Information Officer in place, policies in place around regular cybersecurity awareness training for personnel, and their first annual certification of compliance with the Cybersecurity Regulation.
