• CyGov LinkedIn
  • CyGov Twitter

© 2019 by CyGov Tech

4701 Sangamore Road, Ste 100N

Bethesda, MD 20816

NYDFS

Standards

 

EACH "COVERED" INSTITUTION MUST ADOPT A ROBUST CYBERSECURITY PROGRAM BY AUGUST 28, 2017

A cybersecurity program that complies with the new NYDFS Cybersecurity Regulation will adhere to several key requirements, aligned to the NIST Cybersecurity Framework:

  • Identify all cybersecurity threats, both internal and external.

  • Employ defense infrastructure to protect against those threats.

  • Use a system to detect cybersecurity events.

  • Respond to all detected cybersecurity events.

  • Work to recover from each cybersecurity event.

  • Fulfill various requirements for regulatory reporting.

EVERY COVERED INSTITUTION MUST ENACT A COMPREHENSIVE CYBERSECURITY POLICY BY AUGUST 28, 2017

The NYDFS Cybersecurity Regulation requires covered institutions to instate and maintain a documented cybersecurity policy. The policy must address concerns in alignment with industry best practices and ISO 27001 standards. Most notably, the policy must cover:

  • Information security

  • Access controls

  • Disaster recovery planning

  • Systems and network security

  • Customer data privacy

  • Regular risk assessments

COVERED INSTITUTIONS MUST ADHERE TO THESE ADDITIONAL REQUIREMENTS BY AUGUST 28, 2017

Organizations covered by the NYDFS Cybersecurity Regulation are also required to:

  • Designate a qualified Chief Information Security Officer (CISO) to oversee and implement the cybersecurity program and enforce policy. Organizations can use a third party to fill this role.

  • Use qualified, continuously trained cybersecurity personnel to manage evolving cybersecurity threats and responses. These can be third party actors.

  • Notify the NYDFS about all cybersecurity events that carry a "reasonable likelihood" of causing material harm.

  • Limit access privileges. Companies covered by the regulation must monitor and limit access privileges granted to users.

COVERED INSTITUTIONS MUST ADDRESS NEW CYBERSECURITY CHALLENGES

Some requirements of the NYDFS Cybersecurity Regulation go above and beyond existing industry best practices. The most noteworthy are:

  • Data encryption: Organizations must enact controls, including encryption of sensitive data, depending on the outcome of a risk assessment.

  • Annual certification: Covered entities must complete certification every year to confirm compliance with the regulations.

  • Enhanced multi-factor authentication: Covered institutions must employ multi-factor authentication for all inbound connections to the entity's network.

  • Incident reporting: Covered entities must document and report all cybersecurity events.