Key Milestone Dates: NYDFS Cybersecurity Regulations
If you’re in the financial industry (or working as a provider with such organizations), you most likely have already heard about the NY DFS Cybersecurity Regulations. The whole affair started late 2016, and was finally implemented on March 1, 2017. It’s the first regulation of its kind in the United States, and it’s set a precedent for regulations that has since surfaced in other states. Here at NopSec, programs are underway for our clients to ensure that they’re on-track to meet compliance and we’ve also been producing a series of NYDFS Cybersecurity Regulations webinars to help IT Teams and their organizations learn more.
When it comes to new regulations, there are three key questions that usually surface right away:
- Why are they [regulatory body] introducing these new regulations?
- What do they require?
- When do they want it done by?
The “why” in this case is simple enough. In a nutshell, the NYDFS Cybersecurity Regulations require that you set security practices and controls to help protect your nonpublic information from unauthorized access. The regulation outlines many requirements — and answers the “what” — here are the “big four” they’re requiring (mandatory compliance):
- Establishing a Cybersecurity Program
- Adopting Cybersecurity Policies
- Appointing a CISO
- Managing Third Party Vendors
Obviously there are many details contained within the regulations (including annual pen tests and twice yearly vulnerability assessments that fall under policies), but now that we roughly know what the requirements are, it’s time to ask when they want these all done by. Now that’s a great question if there ever was one.
The great thing with this regulation is that the NYDFS understands that some initiatives take time (i.e. not something you can do the night before the deadline), so they provided a transitional timeline for deadlines. Below are the details of the key dates you need to keep track of. Remember, these implementations are ideally done in phases (as we do with our clients), and there may be some changes along the line, so always check the official NYDFS website for updates (or the NopSec cybersecurity blog as we follow the regulations very closely).
- Implementation Effective: March 1, 2017
- Filing for exemption: August 28, 2017 – Under 23 NYCRR 500.19(a)-(d), which includes organizations that have (but not limited to):
- Fewer than 10 employees
- Less than $5,000,000 in gross annual revenue in each of the last three fiscal years
- Less than $10,000,000 in year-end total assets
Note: We recommend that you verify with a trusted advisor if you actually do qualify for an exemption.
- File First Certificate: February 15, 2018
- Under 23 NYCRR 500.17(b)
- Submit to the superintendent a written statement covering the prior year certifying that you are in compliance with the requirements.
- One-Year Transitional Period Ends: March 1, 2018 – Must be in compliance with:
- 500.04(b) – Designate a senior member of your personnel for direction and oversight of third party service providers
- 500.05 – Annual penetration testing and bi-annual vulnerability assessments
- 500.09 – Risk Assessment
- 500.12 – Multi-Factor Authentication (MFA)
- 500.14(b) – Provide regular cybersecurity awareness training for all personnel that is updated to reflect risks as identified by your Risk Assessment
- 18-Month Transitional Period Ends: September 3, 2018 – Must be in compliance with:
- 500.06 – Audit Trail
- 500.08 – Application Security (in-house developed applications)
- 500.13 – Limitations on Data Retention
- 500.14(a) – Monitoring of authorized and unauthorized access of non-public information
- 500.15 – Encryption of Non-Public Information
- Two-Year Transitional Period Ends: March 1, 2019 – Must be in compliance with 500.11, Managing Third Party Vendors
New regulations can be challenging, but it need not be impossible to implement. If you plan your initiatives strategically and efficiently, combined with with the advice of a trusted expert, then you are on track to being compliant. If you do need some assistance in getting started, please don’t hesitate to contact us at 646-502-7905 or at email@example.com.