The NYDFS Cybersecurity Regulation is a set of regulations from the New York Department of Financial Services. This legislation places cybersecurity requirements on all financial institutions that operate in New York. It stipulates that all DFS-regulated companies should have cybersecurity plans, policies, and maintain detailed reporting systems for cybersecurity events.
The primary purpose of this regulation is to protect sensitive private information that can be used to identify individuals. Continue reading this page and learn the most important aspects of the NYDFS Cybersecurity Regulation, covered financial institutions, and penalties for non-compliance.
Who are Covered Entities under the NYDFS Cybersecurity Regulation?
When it comes to entities under NYDFS, this legislation precisely defines all of the subjects that fall under this regulation. The NYDFS list includes the following types of businesses:
- State-chartered banks
- Private bankers
- Licensed lenders
- Insurance companies
- Service providers
- Mortgage companies
- Foreign banks with a license to operate in NY
If we do a quick rundown of this list of entities under NYFDS, we can see that the covered financial institutions include all individuals, groups, or corporations that legally operate under New York financial service laws. This list covers only the broad categories of businesses, but you can find a complete and detailed list on the official DFS website. With this said, there are exemptions to the NYDFS Cybersecurity Regulation, which include:
- Companies with less than ten employees;
- Companies with gross annual revenue of $5 million or less from their New York operations in each of the previous three years;
- Businesses with less than $10 million in year-end assets;
- Charitable and foreign risks groups that operate in New York.
What are the key components for the NYDFS Cybersecurity Regulation?
Just like the widely-known GDPR, the NYDFS Cybersecurity Regulation was implemented in several phases to allow every company to develop an effective incident response plan for all possible cybersecurity events. There were a total of four stages in the NYDFS Cybersecurity Regulation regulation implementation:
- The First Phase - The first phase came into effect on February 18th, 2018. It covered practices such as capacity and performance planning, the security of information systems, systemic and network security, and periodic risk assessment, among other provisions. Covered entities must report any data breaches that have a reasonable likelihood of causing material damage.
- The Second Phase - The following phase went into effect on March 1st the same year. It focuses mostly on Chief Information Security Officers, of whom it requires to prepare annual reports that include the company's cybersecurity policies and procedures, the effectiveness of current measures, and possible cybersecurity risks.
- The Third Phase - Implemented on September 3rd, 2018, the third phase was focused on the functionality of the cybersecurity programs of covered entities. By the end of the third phase, every business should maintain a detailed database of their audit trails and records. The third phase also requires all covered entities to continue evaluating vulnerabilities, invest in data security, and create defensive infrastructure under the previously completed risk assessment tests.
- The Fourth Phase - The fourth and final phase went into effect on March 1st, 2019. By this date, covered entities should meet all of the above-mentioned cybersecurity requirements and have adequate privacy practices set in place. They should also develop a written risk management policy and include a third-party risk assessment framework.
Aside from the measures covered in the four phases above, there are also some additional requirements. These include multi-factor authentication for all covered entities, penetration testing for risk assessment, usage of the principle of least privilege, and use of qualified and continuously trained cybersecurity personnel.
How does the NYDFS Cybersecurity Regulation Work?
The four phases we listed above cover the entire process every business must undertake. To put it simply, the NYDFS Cybersecurity Regulation requires every organization to do a risk assessment and develop an incident response plan for various cybersecurity events. This includes, at a minimum, the following specific aspects:
- Risk Assessments - Conducted periodically to assess the integrity, security, confidentiality, and availability of the company's IT infrastructure and Personally Identifiable Information.
- Audit Trails - Records will have to be maintained for five years. Their primary purpose is to record and respond to cybersecurity events.
- Limitations on Data Retention - Companies are required to develop procedures for secure disposal of Personally Identifiable Information that is no longer necessary for business purposes.
- Incident Response Plan - Create written plans and document internal processes for responding to different cybersecurity events. It includes roles and responsibilities, communication plans, and any other remediations as needed.
- Access Privileges - Strictly limit access privileges to the user's Personally Identifiable Information and periodically perform checks on these privileges.
- Notices to Superintendent - Notifications to the Department of Financial Services within 7 hours after a cybersecurity event has been detected.
New York Cybersecurity Regulations Penalties for Non-Compliance
Although non-compliance with the NYDFS Cybersecurity Regulation can inevitably lead to significant fines, penalties, and legal costs, the exact penalty amounts aren't stated in the regulation. This is a bit frustrating, as it makes businesses feel that the Department of Financial Services isn't interested in establishing clear communication.
If you were to look up precise NYDFS Cybersecurity Regulation penalties for non-compliance, you'd simply find a statement that fines for non-compliance will be calculated. With that in mind, the lack of precise information when it comes to penalties doesn't mean that you should disregard the regulations imposed by this legislation, as the NYDFS Cybersecurity Regulation is now in full force.
NYDFS Cybersecurity Regulation Compliance Checklist
Since the NYDFS Cybersecurity Regulation is in full effect, every organization that falls into the defined criteria must meet the requirements listed on the compliance checklist. To comply with the NYDFS regulation, organizations should:
- Assess if their business is classified as covered by this cybersecurity regulation
- Assemble a team under CISO responsible for the day-to-day management of compliance with the regulation
- Perform a risk assessment to identify cybersecurity events, threats, and understand their risk profile
- Invest in ongoing risk management
Despite concerns that this regulation might be too robust and complicated to comply with, it does provide a reliable mechanism that can keep businesses in control and safeguard sensitive user information. It is a welcome regulation that will undoubtedly help improve global cyber resilience in the future.
With that said, working on risk assessment and all other cybersecurity events with an expert cybersecurity company can go a long way in ensuring compliance with the NYDFS Cybersecurity Regulation. Cybersecurity experts can help you protect your data more efficiently and prevent and monitor for any security vulnerabilities.
If you are looking for a ready cybersecurity solution to strengthen compliance - check out Hideez Enterprise Solution or schedule a free demo:
