The Compliance Certification Filing Deadline for the NYSDFS Cybersecurity Regulation was February 15, 2019. If you're a regulated entity required to file the Certification of Compliance for 2018 and haven't done so yet, you could face fines of up tp $250,000, or one percent of your company's total banking assets. If this is alarming, it's time to act.
If you're unsure if your organization is mandated to file, or if you know you missed the deadline, our cybersecurity team can help.
1. How do I know if I need to comply?
The NYSDFS Cybersecurity Regulation applies to all Covered entities meaning “any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the financial Services Law.” This list includes entities such as State-chartered banks, Licensed lenders, Private bankers, Foreign banks licensed to operate in New York, Mortgage companies, Insurance companies, and Service providers.
2. What do I need to do to comply?
The Regulation requires a complete Cybersecurity Program that includes solutions or professional resources that can do the following:
- Identify internal and external threats
- Use defense infrastructure to protect the covered entity
- Detect cybersecurity events
- Respond to cybersecurity events
- Respond and manage cyber incidents
- Recover from cyber security events
- Fulfill all regulatory reporting requirements
If you're currently working with a Cybersecurity Provider or managing cybersecurity through your internal IT team, you must ensure that they are able to handle all the requirements listed above. Often times, Incident Response and Recovery is above and beyond what an average IT team or third-party firm could handle, so it's important to understand the full breadth of their capabilities in this arena.
3. What are the cybersecurity requirements under NYSDFS?
There are more robust requirements under this Regulation, which include specific cybersecurity services and solutions that improve overall posture:
- Data encryption
- Enhanced multi-factor authentication
- Audit Trails
- Access Privileges
- Application security
- Testing Requirements
- Risk Assessments
- Incident reporting
- Annual certification
- Third Party risk management
- Virtual Chief Information Security Officer (CISO)
4. Do I need to update my Policies and Procedures?
The following policies and procedures are required under NYSDFS:
- Information security
- Data governance and classification
- Access controls and identity management
- Business Continuity & Disaster Recovery planning and resources
- Capacity and performance planning
- Systems and network security
- Systems and network monitoring
- System and application development and QA
- Physical security and environmental controls
- Customer data privacy
- Vendor and third party service provider management
- Risk assessment
- Incident Response
A complete managed security package from IGI includes review and/or development of policies and procedures. Whether you manage these internally or work with a third party, make sure that this team is going above and beyond basic policies and including information on all the requirements listed above.
5. How do I make sure that I'm compliant and avoid fines?
If you are unclear on your progress or compliance status, contact IGI to perform a NYSDFS Cybersecurity Compliance Readiness Assessment. Our experts will assess your organization as per NYCRR-500 and produce a “roadmap” to compliance. If you have already identified your deficiencies, contact IGI to fill the gaps that you have identified. IGI has solutions for policies and procedures, technologies, and security postures that meet your NYSDFS Cybersecurity requirements.
If you're looking for more information on the NYDFS Cybersecurity Regulation, or need a baseline cybersecurity assessment to fully understand your current cybersecurity state, we would be glad to work with you. Contact the IGI Cybersecurity Team today.