If you are one of the many businesses licensed by the New York Department of Financial Services (DFS), and cannot avail yourself of the (very) limited exemptions, you must be ready for the first compliance transition date for the stringent DFS cybersecurity regulations – August 28, 2017.
Just in case you’d forgotten, the DFS cybersecurity regulations became effective March 1, 2017 and you can refresh your memory here.
If you are licensed by DFS and have not conducted the required risk assessment, you will be late. The risk assessment is required periodically by the regulation (see Section 500.09 for details) (referred to as the “Risk Assessment”) and is the foundation for every other administrative and technical requirement of the regulation.
The August 28 compliance deadline applies to the following requirements:
Cybersecurity Program (Section 500.02): Licensees are required to have a cybersecurity program in place that is designed to protect the confidentiality, integrity, and availability of the licensee’s information systems. As with other security regulations (e.g., HIPAA and Massachusetts 2017 CMR 17), the Cybersecurity Program should be developed based the Risk Assessment.
Cybersecurity Policy (Section 500.03): The written policy must be approved by a senior officer or the entity’s governing board, must be based on the Risk Assessment, and cover 14 regulation-specific areas including data governance, systems and network security, data privacy, and incident response.
Chief Information Security Officer (CISO) (Section 500.04(a)): The regulation requires that a qualified individual be designated as the CISO.
Access Privileges (Section 500.07): User access to information systems must be limited and privileges must be appropriate for roles.
Cybersecurity Personnel (Section 500.10): Cybersecurity personnel must be engaged, trained, and updated on cybersecurity risks and all personnel must have regular cybersecurity awareness training based on the Risk Assessment.
Incident Response Plan (Section 500.16): A written incident response plan (IRP) must be implemented. The plan must be designed to promptly respond to, and recover from any security incident, and must specifically address internal processes for response, goals of the incident response plan, definition of clear roles and responsibilities, external and internal communications and information sharing, identification of requirements for remediation of identified weaknesses, documentation and reporting, and evaluation and revision (as necessary) of the IRP following a security incident.
Notice of Cybersecurity Event (Section 500.17(a)): Notice of a security incident must be given to the DFS Superintendent as promptly as possible BUT IN NO EVENT LATER THAN 72 HOURS from a determination that a Cybersecurity Event (as defined in the regulation) has occurred, where notice is required to any other governmental or supervisory body or self-regulatory agency, or where the event has a reasonable likelihood of materially harming any part of the entity’s operations.
Note that if you intend to claim a limited exemption under Section 500.19 of the regulation, you must file Appendix B with DFS by August 28, 2017. DFS has established a web portal for licensees to make required filings. Go to Department of Financial Services Secure Portal to create an account.