New York Department of Financial Services Issues Final Cybersecurity Regulation
On February 16, 2017, New York’s Department of Financial Services (DFS) issued the “first-in-the-nation” cybersecurity regulation.
Effective March 1, 2017, the final regulation requires the organizations covered financial institutions that do business in the State of New York to conduct a risk assessment and maintain a risk-based cybersecurity program.
This regulation is designed to protect customers’ private data and ensure the safety of New York’s financial service industry. Any covered entity with operations in the State of New York will be required to comply with these new regulations.
Here are the covered entities in new regulation:
- Conduct a documented risk assessment
- Establish a risk-based cybersecurity program:
Identify cyber risks and implementing policies and procedures to protect IS system
- Adopt a written cybersecurity policy:
- Designate a qualified CISO
- Implement written third-party cyber risk policies identify and assess the risk associated with third-party access to systems ;Establish minimum cybersecurity requirements; Confirm strong due diligence processes; Periodically assess third parties based on the risk they
- Establish a written incident response plan:
Refers to the internal and external processes for responding to a cyber event
- Notify the superintendent of DFS of any cybersecurity events:
No later than 72 hours after a determination has been made.
- Submit an annual certification of compliance: Each year certification need to be signed by the board of the board chairperson or senior managers. This is the document that ensures that all entities are in compliance with all the requirements of the regulations.