Covered entities, including financial and insurance organizations, must comply with the New York Department of Financial Services Cyber Regulation
Cybersecurity regulation is becoming a trend across all sectors, and the first comprehensive regulation has a major deadline at the end of August. The New York Department of Financial Services (NYDFS) Cyber Regulation was announced in September of 2016, and went into effect in March 2017. Colorado and Vermont, as well as the OCC, are getting in the game as well.
On August 28, Covered Entities under NYDFS are required to be in compliance with requirements of 23 NYCRR Part 500 unless otherwise specified.
Requirements in this round of deadlines:
- Written cybersecurity program, which is based on a risk assessment
- Designated Chief Information Security Officer (CISO)
- Trained Cyber Personnel
- Access Privileges
- Notification of cyber events to the Superintendent (click here to find out more and how to report cybersecurity events)
- Penetration and Vulnerability Assessments
- Audit Trail
And while on the surface, this cyber regulation looks like a neat check list, the implementation of the program is actually not as straightforward as one may hope. And, a recent Ponemon Institute survey of covered entities shows some alarming statistics. The June 2017 survey of financial institutions who are under the supervision of the NY DFS revealed:
- 25% do not have a CISO
- 51% of companies do not have a cybersecurity program that meets the criteria
- Some organizations noted their inability to know where high value data assets are located, that they have negligent or careless employees, and an insufficient budget [Survey]
Fines for Non-Compliance of NYDFS Cyber Regulation
Chip Block, VP Cyber Solutions for Evolver said, “We think the NYDFS is pretty serious about this new cyber regulation. One of the most popular questions we hear is ‘What are the penalties/fines for non-compliance with NYDFS cyber regulation?’” He continued, “We are still waiting to see what they may be, but if previous fines for other issues are an indicator, compliance appears to be the best option.”
Below are a few previous fines from the New York Department of Financial Services:
|Jan-17||Deutsche Bank||$425M||Money Laundering|
|May-17||BNP PARIBAS||$350M||Foreign Exchange Misconduct|
|Dec-16||INTESA SANPAOLO||$235M||Money Laundering|
Let’s get started on NYDFS Cyber Regulation Compliance
Evolver is poised to assist you in meeting the cyber regulation compliance deadline.
We offer CISO Support as a Service, we have expertise in implementing multi-factor authentication, perform penetration testing and threat vulnerability, and our approach on cyber assessments is to quantify risk financially.
Key Dates under New York’s Cybersecurity Regulation (23 NYCRR Part 500)
- March 1, 2017 – 23 NYCRR Part 500 becomes effective.
- August 28, 2017 – 180 day transitional period ends. Covered Entities are required to be in compliance with requirements of 23 NYCRR Part 500 unless otherwise specified.
- September 27, 2017 – Initial 30 day period for filing Notices of Exemption under 23 NYCRR 500.19(e) ends. Covered Entities that have determined that they qualify for a limited exemption under 23 NYCRR 500.19(a)-(d) as of August 28, 2017 are required to file a Notice of Exemption on or prior to this date.
- February 15, 2018 – Covered Entities are required to submit the first certification under 23 NYCRR 500.17(b) on or prior to this date.
- March 1, 2018 – One year transitional period ends. Covered Entities are required to be in compliance with the requirements of sections 500.04(b), 500.05, 500.09, 500.12 and 500.14(b) of 23 NYCRR Part 500.
- September 3, 2018 – Eighteen month transitional period ends. Covered Entities are required to be in compliance with the requirements of sections 500.06, 500.08, 500.13, 500.14(a) and 500.15 of 23 NYCRR Part 500.
March 1, 2019 – Two year transitional period ends. Covered Entities are required to be in compliance with the requirements of 23 NYCRR 500.11.