Understanding the NYDFS Cybersecurity Requirements
The Cybersecurity Requirements for Financial Services Companies released by New York State’s Department of Financial Services (NYDFS) came into effect on 1 March 2017. All financial services companies that fall under NYDFS supervision are required to implement security measures in order to protect themselves against cyber attacks.
Who else is affected?
It is worth noting that the Regulation applies to any financial institution with a branch in New York, as well as third-party suppliers of New York-based institutions. The Cybersecurity Requirements will have a national, and even international, influence.
Even if a Covered Entity – which is an individual or organisation that operates under a licence, permit or other authorisation under the New York banking law – is not headquartered in New York, it must still comply with the Regulation if it has branches in the state that are under the authority of the NYDFS.
The Regulation has a number of requirements for organisations, including to:
- Maintain a cyber security policy and programme
- Appoint a chief information security officer (CISO)
- Limit access privileges and periodically review these privileges
- Implement risk assessment controls and an incident response plan
- Use qualified cyber security personnel
- Establish a written cyber security incident response plan
Challenging deadlines
The Regulation has a number of different compliance deadlines, with timelines ranging from six months to two years. Written documentation must be submitted to the Superintendent of Financial Services by February 2018, certifying that the organisation meets the requirements.
In the event of a cyber attack or a breach, the organisation must report the incident to the superintendent within 72 hours.
Taking the right measures for compliance
Implementation could be challenging for organisations, as there are many requirements and different timelines for each of them. Taking the right steps now to plan your cyber security programme and align it with your business objectives is essential.
By 28 August 2017, organisations that are regulated by the NYDFS must comply with the first set of requirements, which include maintaining a cyber security policy and programme. The cyber security programme should be derived from the organisation’s risk assessment.
The risk assessment is an essential part of complying with the Regulation and should not be delayed. Many companies may see this requirement as a gruelling task, but it does not have to be. vsRisk™ is a risk assessment software tool that can help you comply with the Regulation, saving you time and money. Find out more here >>
If you want to learn more about risk assessments and the NYDFS Regulation, you should listen to our recent webinar: NYDFS – a guide to risk assessment.
Delivered in partnership with IT Governance, the webinar covered the importance of the risk assessment and the ideal timeframe for conducting it, and included a demonstration of vsRisk.
This webinar was presented by Alan Calder, the founder and CEO of IT Governance, and Michael Pollington, Vigilant Software specialist.