NYDFS Cybersecurity Regulation Requirements

A cybersecurity program that complies with the new NYDFS Cybersecurity Regulation will adhere to several key requirements, aligned to the NIST Cybersecurity Framework:

• Identify all cybersecurity threats, both internal and external.
• Employ defense infrastructure to protect against those threats.
• Use a system to detect cybersecurity events.
• Respond to all detected cybersecurity events.
• Work to recover from each cybersecurity event.
• Fulfill various requirements for regulatory reporting.

CYBERSECURITY POLICY DESIGN

The initial phase of the NYDFS Cybersecurity Regulation went into effect on February 15, 2018 and requires covered organizations to develop a cybersecurity policy, including an incident response plan that includes data breach notifications within 72 hours. The policy must address concerns in alignment with industry best practices and ISO 27001 standards. Most notably, the policy must cover:

• Information security
• Access controls
• Disaster recovery planning
• Systems and network security
• Customer data privacy
• Regular risk assessments

REPORTING PROCEDURES

Phase two, which went into effect on March 1, 2018, requires CISOs to prepare an annual report that includes:

• The organization’s cybersecurity policies and procedures
• The organization’s security risks
• The effectiveness of the organization’s existing cybersecurity measures

Covered institutions are required to develop and implement a cybersecurity program that continuously evaluates vulnerabilities, which not only informs the annual report but also enables the organization to develop proactive responses to threats.

PROGRAM DEVELOPMENT

Phase three, which went into effect on September 3, 2018, requires covered institutions to have a comprehensive cybersecurity program in place that contains several key elements, including:

• An audit trail that reflects threat detection and response activities
• Written documentation of procedures, standards, and guidelines for in-house applications as well as procedures for evaluating third-party applications
• Detailed data retention policy documentation, including how non-public personal information is disposed
• Encryption and other robust security control measures

THIRD PARTY SECURITY

The final remaining requirement was effective as of March 1, 2019. This requirement states that covered institutions are to finalize their policies regarding any third party which could be given permissions to access systems and files covered by the regulation. Covered financial institutions are required to develop a written policy for third-party security that details:

• Risk assessment of third-party service providers
• The covered financial institution’s security requirements of third-party service providers that must be met in order to conduct business with that entity
• Processes for evaluating the effectiveness of a third-party service provider’s security practices
• Periodic assessments of third-party policies and controls

ADDITIONAL REQUIREMENTS

Organizations covered by the NYDFS Cybersecurity Regulation are also required to:

• Use qualified, continuously trained cybersecurity personnel to manage evolving cybersecurity threats and responses. These can be third party actors.
• Notify the NYDFS about all cybersecurity events that carry a "reasonable likelihood" of causing material harm.
• Limit access privileges. Companies covered by the regulation must monitor and limit access privileges granted to users.

Covered Institutions Must Address New Cybersecurity Challenges

Some requirements of the NYDFS Cybersecurity Regulation go above and beyond existing industry best practices. The most noteworthy are:

• Data encryption: Organizations must enact controls, including encryption of sensitive data, depending on the outcome of a risk assessment.
• Annual certification: Covered entities must complete certification every year to confirm compliance with the regulations.
• Enhanced multi-factor authentication: Covered institutions must employ multi-factor authentication for all inbound connections to the entity's network.
• Incident reporting: Covered entities must document and report all cybersecurity events.

Consequences and Penalties for NYDFS Cybersecurity Regulation Violations

As the regulation currently sits, there are no details regarding fines for violations. However, penalties will be calculated for violations, leaving the amount unknown for covered entities. Once the regulation is fully in force in the Spring of 2019, violations may be alleged and founded. The fees and other ramifications may become public knowledge if such violations occur.

Note: When publicly questioned about the language and fees required of violators, drafters of the NYDFS offered no further explanation.

Benefits and Drawbacks of the NYDFS Cybersecurity Regulation

The NYDFS Cybersecurity Regulation was adopted on March 1, 2017 after a long history of damaging cyber attacks and data breaches in the financial industry. While NYDFS paved the way for other states to enact much-needed cybersecurity regulation, their efforts may not go far enough. In no particular order, here are a few pros and cons surrounding the new regulation:

• The regulation has been scaled back from proposed versions, which called for the encryption of all data at rest and in transit, which many institutions argued was unnecessarily restrictive.
• According to Sam Olyaei, senior research analyst at Gartner Research, the regulation was woefully out of date even before its enactment, though he admits it's much better than regulation in place (or not in place) in other states.
• Organizations with less than 10 employees and independent contractors are considered exempt under the enacted version of the regulation.
• Small and medium-sized companies can rely on third party service providers to meet many of the regulation requirements.

Best Practices for Complying with NYDFS Cybersecurity Regulation

Financial institutions face a near-term compliance challenge in the face of new NYDFS Cybersecurity Regulation. Best practices involve meeting all the requirements in a timely manner, paying special attention to deadlines, and appointing a qualified CISO to pull together an appropriate response. In preparing for NYDFS Cybersecurity Regulation compliance, be sure to:

• Assess whether your institution classifies as "covered." There are several exemptions, but exempt organizations must file as such within 30 days of the end of the most recent fiscal year. To determine whether your organization is "covered," see the NYDFS website's "Who We Supervise" page here.
• Assemble your organization's regulatory compliance team. All covered, non-exempt financial institutions should have assigned a Chief Information Security Officer (CISO). While the CISO holds overarching responsibility for compliance, achieving and maintaining compliance is generally a job for a team rather than an individual, especially considering that the new regulations apply enterprise-wide.
• Understand your risk profile. The required Risk Assessment was required to be submitted by March 1, 2018. However, organizations should be conducting ongoing, periodic risk assessments to identify vulnerabilities and respond proactively to emerging threats.
• Adhere to all deadlines. The final provisions in the new regulation went into effect on March 1, 2019. See the full regulation document here for clarification.

Additional Resources on the NYDFS Cybersecurity Regulation

For more information about the NYDFS Cybersecurity Regulation, visit the following resources:

• See the NYDFS "Who We Supervise" page to assess whether your institution is covered under NYDFS Cybersecurity Regulation.
• The NYDFS regulation document is viewable in PDF form here.
• The NYDFS Regulation FAQs page is here. It answers 14 commonly asked questions about the regulation, including questions about deadlines, requirements, and definitions.