NY State DFS Compliance
Your people are your greatest asset but also your greatest liability when it comes to cybersecurity. They are targets of social engineering, spoofing and spear phishing campaigns to name a few. The best way to protect them and your organization is through education.
You can have the most complex cybersecurity products deployed in your environment but if your team is not trained on how to recognize, respond and report on attacks in real time, your security posture is compromised.
HighCastle Cybersecurity Regulation Update
What: New NYS DFS rules call for comprehensive cybersecurity program compliance from financial services entities including insurance companies, mortgage brokers, insurance agents and banks. The requirements and their key attributes are as follows:
- Cybersecurity Program
Develop a comprehensive cybersecurity program to protect non-public information (NPI) and detect, respond, report and recover from cybersecurity events.
- Cybersecurity Policy
Retain a written cybersecurity policy including data governance, asset inventory, business continuity, network access control and other categories that unify information security and operational processes in the organization.
Designate a Chief Information Security Officer (CISO) to oversee cybersecurity program and report on cyber policy and procedure, material risks to the entity, material security events and overall effectiveness of cyber program to board of directors and the NYS DFS.
- Penetration Test and Vulnerability Assessments
Organizations shall engage in continuous monitoring of their environment based on the risk assessment outcome or engage in periodic penetration tests and vulnerability assessments.
- Audit Trail
Retain audit documents sufficient to (1) reconstruct material financial transactions to support ongoing operations and obligations (2) detect and respond to cybersecurity events that have a reasonable likelihood of hurting ongoing operations. Such records are to be retained for 5 years.
- Application Security
Maintain written procedures, guidelines and standards for secure development practices of both internally and externally sourced applications.
- Access Privileges
Develop and maintain an identity access management program governing non-public information (NPI) use.
- Risk Assessment
An assessment shall be performed that will uncover particular risks to the organizations business operations relating to cybersecurity and the confidentiality, integrity and availability of its information systems and NPI. The adequacy of controls will be evaluated in the context of these risks including how risks will be mitigated and how overall cybersecurity policy will address.
- Cybersecurity Personnel & Intelligence
Security personnel must oversee the execution of cyber policy, be current on the newest exploits in the field, and on corresponding countermeasures.
- Third Party Solution Provider Security Policy
Organizations shall implement written policies and procedures on third party risks as revealed by an assessment. This includes establishment of minimum cyber policies to be met by third parties, due diligence efforts, periodic reviews and controls as it relates to encrypted data, NPI, cybersecurity events and representations and warranties as to adequacy of third party exposure security.
- Multi Factor Authentication
Organizations shall use multi factor or risk based authentication to protect their information systems and NPI from unauthorized access.
- Limitations on Data Retention
Organizations shall have policies and procedures for secure disposal of records containing NPI.
Implement risk based policies, procedures and controls to monitor access to NPI. Cybersecurity awareness training shall be provided to all employees emphasizing risks germane to the organization as a result of the assessment.
- Encryption of NPI
Based on the assessment results, organizations shall encrypt NPI in transit and at rest. If encryption is infeasible, the CISO shall approve compensating controls whose effectiveness will be subject to review at least annually.
- Incident Response Plan
A written incident response plan shall be created by the organization which outlines how they will respond and recover from a cybersecurity event affecting the confidentiality, integrity or availability of the entity’s infrastructure or which materially affects ongoing operations. The plan shall address event response, roles and decision authority, communications plan, and event remediation including documentation and reporting of cybersecurity incidents.
- Superintendent Notices
Organizations shall report to the NYS DFS Superintendent within 72 hours when a cybersecurity event has occurred. A report must also be made annually to the Superintendent on February 15th on the cybersecurity program in place, with all supporting documentation retained for a period of five years.
When: March 1, 2017, giving the affected companies 180 days, or until Sept. 1, to begin complying with its provisions.
What entities does it apply to? “Covered Entity” as “any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the banking law, the insurance law or the financial services law.” including insurance companies, mortgage brokers, insurance agents and banks. A limited exception to the regulations is carved out for otherwise covered entities with fewer than 10 employees (including independent contractors), or fewer than 1,000 customers or less than $5 million in gross annual revenue in each of the last fiscal years or less than $10 million in year-end total assets.
Next Step: Contact HighCastle Cybersecurity to learn about our New York State Cybersecurity Compliance-as-a-Service offering. Our experts will provide a comprehensive solution right-sized for your organization that will get you compliant with the entire regulation in 30 days or less.