NYDFS Cybersecurity Regulations: Key Deadlines
The first traditional deadline is coming to a close this month for compliance with the NYDFS Cybersecurity Regulations. Please note that situations vary from one organization to another and I urge you to consult an NY DFS expert to help you get the right information for your team and determine which requirements apply exactly to you.
For example, the initial 30 day period for filing Notices of Exemption under 23 NYCRR 500.19(e) ends on August 28, 2017. This is our first key date because exemptions might apply to you and it’s important that you have this in place. That means you are required to file you notice on or before August 28, 2017. According to the limited exemption under Under 23 NYCRR 500.19(a)-(d), your organization may be exempted from several requirements if you have (but not limited to): 1) Fewer than 10 employees; 2) Less than $5,000,000 in gross annual revenue in each of the last three fiscal years; and 3) Less than $10,000,000 in year-end total assets. That said, these criteria may seem straightforward, but it’s still best to defer to an expert to ensure whether you are or you are not exempted.
Along with this key date is the 180-day transition period also on August 28th of this year. What the transition means is that by August 28th (except for sections under Section 500.22 which have their own deadline dates and will be discussed separately), you must already be in compliance with the following:
Established a documented cybersecurity program (section 500.02) based on your Risk Assessment (which means you should have conducted a Risk Assessment at this time as well). Keep in mind that at this point, all documentation and information related to your cybersecurity program must be made available to the superintendent upon request.
Adopted a documented cybersecurity policy (section 500.03) that is also based on your Risk Assessment. In this policy you must addresses critical security areas such as data governance and classification, systems and network security and monitoring, access controls and identity management, and business continuity and disaster recovery planning and resources.
Appointing a CISO (section 500.4(a)) — We generally recommend that this be your first step. Not only is it difficult and time-consuming to find a highly competent CISO to fill this position, but a CISO is key in helping you put together a cybersecurity program and policy to begin with. A CISO is undoubtedly a critical requirement and position to fill, but also comes at a price, and may be challenging for smaller organizations who may not have the budget for this In these situations, I recommend looking into a Virtual CISO (also known as vCISO) solution.
You are already expected to have set Access Privileges as part of section 500.07. Based on your Risk Assessment, you need to have put controls in place to limit user access privileges to information systems that provide access to Nonpublic Information. You’re also expected to periodically review these access privileges.
Other sections that are due at this time include:
Section 500.10 That requires you to employ qualified cybersecurity personnel to manage your cybersecurity risks — whether it be in-house, an affiliate, or a third party service provider. They must have received sufficient training and verify that they continue to receive such training to keep up to date with relevant cybersecurity risks.
Section 500.16 That requires you to have an Incident response plan that pertains to your internal process should a cybersecurity event occurs, clear definitions of roles and decision making authority, cybersecurity events documentation, and the like.
500.17(a) That requires you to report all cybersecurity events to the superintendent within 72 hours from determination. A cybersecurity event is defined as any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt, or misuse an information system or information stored on such information system.
500.18 Which addresses some exemptions from disclosure under several Banking, Insurance, Financial Services, and other laws.
And lastly, section 500.19, which we’ve discussed earlier, are deadlines to apply for exemption.
Not to alarm you, but these are all the requirements that you should have in place by the end of the month alone. Though you are not required to submit your certification of compliance until February 15, 2018 (which we’ll discuss next), remember that the superintendent may request a copy of your documented cybersecurity program and policy at any time on or before February 15, 2018.
Our next key date is February 15, 2018. This is the one-year mark from the March 1st, 2017 implementation date, At this time, you are now required to submit your first certificate of compliance on or prior to February 15th under section 500.17(b). Take note that you are required to keep all records and supporting data of your compliance for the past five years.
Fourth Key Date to remember is March 1st, 2018. The one-year transitional period ends at this time, and in addition to what was required in August 28th, you now also required to have covered the following:
Section 500.04(b), Requires your CISO to submit an annual report to the governing body in your organization pertaining to your organization’s cybersecurity program and material cybersecurity risks. If you don’t have a board of directors or equivalent in your organization, the report should be presented to a Senior Officer instead.
500.05 Requires that you should’ve already conducted at least one penetration test and two vulnerability assessments for your information systems. Take note that this is the bare minimum. Based on the needs of your organization, you may need more tests and assessments beyond the minimum prescribed by the NY DFS.
500.09 Is the required Risk Assessment that you should have performed at the beginning of the year, as the NY DFS did specify that you need a documented assessment to base your cybersecurity programs and policies in the first place. I also recommended conducting these assessments periodically to help you review and revise your programs and policies as necessary.
Multifactor Authentication is also required to be in place at this time under section 500.12, specifically for any individual accessing an internal network via an external network. An exemption may be accepted via a CISO’s written approval and provided that a reasonably equivalent access control is in place in lieu of MFA.
Lastly, Cybersecurity training under section 500.14(b) required organizations to provide regular cybersecurity training for all personnel that is updated to reflect risks identified by your Risk Assessment.As you can see, these requirements are not initiatives you can easily put into place overnight. It is best done in phases if they’re not already a part of your cybersecurity program, which is what we have done for our current clients. There are more requirements that you need two complete within two more additional transition periods in the coming year. To learn more, speak with our team of compliance experts — fill out this form and we’ll get back to you within one business day or less.