Is your organization a New York State Department of Financial Services-regulated entity that now needs to meet the cybersecurity rules established by 23 NYCRR 500, Cybersecurity Requirements for Financial Services Companies?
If you are not sure what part of your business is in scope or if an affiliate is supervised by DFS, you can find out on the DFS website.
It has been about a year since the NY DFS implemented its Cybersecurity Rules, which include many different policies, procedures, and controls that need to be implemented or enhanced. Likewise, there are multiple due dates and possible exemptions that organizations should have reviewed to determine applicability and ensure compliance with specific requirements.
You can find the latest copy of the rule here.
The following is an overview of where supervised organizations should be in terms of their compliance efforts, and important items to remember as you work through each section of the rule.
Compliance in the following sections was required by September 1, 2017 and must have been attested to on or prior to February 15, 2018 and annually thereafter:
- 500.02: CYBERSECURITY PROGRAM
- 500.03: CYBERSECURITY POLICY
- 500.04(a): NAMED CHIEF INFORMATION SECURITY OFFICER
- 500.07: ACCESS PRIVILEGES
- 500.10: CYBERSECURITY PERSONNEL AND INTELLIGENCE
- 500.16: INCIDENT RESPONSE PLAN
The following sections of the rule were required to be implemented as of March 1, 2018:
- 500.04(b): CHIEF INFORMATION SECURITY OFFICER
- 500.05: PENETRATION TESTING AND VULNERABILITY ASSESSMENTS
- 500.09: RISK ASSESSMENT
- 500.12: MULTI-FACTOR AUTHENTICATION
- 500.14(b): TRAINING AND MONITORING
The following sections of the rule have a required implementation date of September 1, 2018:
- 500.06: AUDIT TRAIL
- 500.08: APPLICATION SECURITY
- 500.13: LIMITATIONS ON DATA RETENTION
- 500.14(a): TRAINING AND MONITORING
- 500.15: ENCRYPTION OF NONPUBLIC INFORMATION
The following section of the rule has a required implementation date of March 1, 2019:
- 500.11: THIRD PARTY SERVICE PROVIDER SECURITY POLICY
Refer to the DFS Frequently Asked Questions (FAQ) page for more detailed questions and answers that may help clarify the Cybersecurity Rules requirements. For example, many organizations report cybersecurity items to a sub-committee; however, when reviewing the FAQs, you will see that this does not suffice to meet the DFS requirement—the information must be presented to the Board of Directors.
You can find the detailed response to this example and many others on the FAQs here.
The Rule imposes strict guidelines on reporting cybersecurity events that organizations may not have had to meet previously. Under this rule, covered entities are required to notify the Superintendent of certain cybersecurity events as promptly as possible, but no later than 72 hours from a determination that a reportable cybersecurity event has occurred.
See the full rule for details on what defines a reportable event, as even an unsuccessful attack may constitute a reportable cybersecurity event.
DFS’ First Day Letter continues to get more detailed and now includes nearly 100 core requests, with additional sub-requests. Some of these items relate to the rule and other requests that should be expected include items on Payment Card Industry Data Security Standard (PCI DSS) compliance, data exfiltration, and advanced penetration testing.
Overall, the cybersecurity program at an organization must ensure the safety and soundness of the institution and protect its customers. Accordingly, NY DFS states that this regulation is designed to promote the protection of customer information as well as the information technology systems being operated by regulated entities.
This regulation requires each organization to assess its specific risk profile and design a program that addresses its risks in a robust fashion. NY DFS expects senior management to take this issue seriously and be responsible for the organization’s cybersecurity program, including filing an annual certification confirming compliance with the rule. This was required to be completed as of February 15, 2018, and must be completed annually thereafter.
It should be understood that if a program is not adopted and implemented, NY DFS may impose significant financial or other sanctions, and the organization could be subject to other adverse effects such as reputational damage.
Jillian Martucci is manager based out of our Rochester, NY office.
This material has been prepared for general, informational purposes only and is not intended to provide, and should not be relied on for, tax, legal or accounting advice. Should you require any such advice, please contact us directly. The information contained herein does not create, and your review or use of the information does not constitute, an accountant-client relationship.