Understanding the NYDFS Cybersecurity Requirements

The New York Department of Financial Services Cybersecurity Requirements for Financial Services Companies went into effect nearly a year ago on March 1, 2017.  February 15, 2018, marked the first major milestone as the deadline for submitting the first certifications under the Rule.

During this time, we’ve also seen individual states implement financial services cybersecurity regulations, including Colorado and Vermont.  Given that many of the information security requirements in the Regulation crop up in related state laws and best practices, we thought this would be a good time to recap a few key parts of the Regulation and discuss the remaining sections that will be implemented over the next year.

The Regulation requires Covered Entities to appoint a Chief Information Security Officer (CISO) and to utilize qualified personnel with an appropriate background in cybersecurity.  The CISO is responsible for oversight of the cybersecurity program and submits the annual certification to the NYDFS.

The annual certification describes the status of the Covered Entity’s cybersecurity policies, identified risks as well as the overall effectiveness of the program and details of any cybersecurity events during the reporting period.  Notably, the CISO and supporting staff roles can be entrusted to qualified third-parties, giving firms flexibility to engage specialists and employ cloud software platforms to satisfy personnel and technology requirements.

A key aspect of the Regulation— echoed in Colorado and Vermont —is the maintenance of a cybersecurity policy.  The policy is the cornerstone of an effective cybersecurity program and, per the NYDFS, should encompass information security, data governance and classification as well as customer data privacy and physical access controls.

The Colorado and Vermont rules require the maintenance of cybersecurity polices, and the SEC’s Office of Compliance Inspections and Examinations has reiterated the requirement in their Security Alerts and Exam Observations.  These policies effectively act as blueprints for a firm’s IT deployments and oversight practices.  A cybersecurity policy that aligns to your firm’s size, structure and product offerings should be considered a key component of any financial services compliance regime.

As of March 1, 2018, Covered Entities must have controls around the use of multi-factor authentication to secure access to Nonpublic Information.  Multi-factor authentication has historically been an information security best practice, and the Colorado regulation highlights authentication as an issue firms must consider when setting permissions to systems that facilitate electronic communications, or when validating client instructions received through electronic communications channels.

The Workplace platform has long included multi-factor authentication as a key security component and we recommend that clients leverage the feature.

Additional portions of the regulation will become effective on a rolling basis as part of the two-year transitional period. On September 3, 2018, requirements to maintain audit trail systems, develop standards for application security development, limit data retention periods, implement risk-based policies and procedures to monitor and detect unauthorized use of Nonpublic information and encrypt Nonpublic information will come into effect.

Security technologies like Workplace include advanced logging capabilities, including tracking user activity on the platform and full audit logs of changes to documents. The end of the transitional period on March 1, 2019, will require Covered Entities to maintain third-party service provider policies and procedures to ensure the security of Nonpublic Information accessible to, or maintained by, outside entities.

At OS33 we’re committed to designing products that help our clients meet the requirements of these cybersecurity regulations. Firms must consider emerging laws as they consider appropriate software controls and the evolution of their security and compliance programs.

Comments are closed.