An Overview of The NYDFS Cybersecurity Regulation
What is NYFDS?
Last year, New York became the 1st state that proposed cyber security regulations for the financial organisations. This year, on March 1st, the New York Department of Financial Services (NYDFS) Cybersecurity Requirements came into effect.
This new regulation requires financial institutions like banks and insurance companies, and others to establish and maintain cybersecurity programs in order to protect consumers’ private data. Financial organisations have an 180-days transition period to enhance their infosec implementation in order to protect their Information Systems and Nonpublic Information (NPI). By August 28, 2017, must have a cybersecurity program in place and starting February 15, 2018, they must be able to demonstrate they are compliant by submitting annual Certifications of Compliance.
What is the Information System?
The Information System represents “a discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of electronic information, as well as any specialized system such as industrial/process controls systems, telephone switching, and private branch exchange systems, and environmental control systems.”
Basically, the NYDFS uses the Information System to express the sensitive data as well as the systems that must be safeguarded against cybercriminals and other cyber security threats.
What is Nonpublic Information (NPI)?
Nonpublic Information means “all electronic information that is not Publicly Available Information and contains:
- Business related information
- Information concerning an individual that can be used to identify him/her – name, number, personal mark, or other identifier, in combination with social security number, drivers’ license number or non-driver identification card number, account number, credit or debit card number, any security code, access code or password that would permit access to an individual’s financial account, or biometric records.
- Any information or data, except age or gender, related to the physical, mental or behavioral health of any individual or his/her family collected and processed by a health care provider or derived from a health care institution.
Whom it covers?
The NYDFS rule focuses on protecting the data of customers of financial institutions with branches in NY, third-party suppliers, like banks, insurance companies, brokers, mortgage lenders, investment companies, and others.
According to the NYDFS website, the new rule supervises “nearly 1,900 banking and other financial institutions with assets of more than $2.9 trillion” and “all insurance companies that do business in New York,” which includes “nearly 1,700 insurance companies with assets exceeding $4.2 trillion.”
The proposed regulations will reduce the risk of data breaches caused by insider threats, ignorance or unintentional data leakage.
What are the key points?
NYDFS regulations require Covered Entities to:
- Set a robust cybersecurity program
- Perform regular cybersecurity awareness training for all employees
- Set risk-based minimum standards for technology systems including; data protection, encryption, access controls, and penetration testing
- Establish an incident response plan
- Require identification and documentation of material deficiencies, remediation plans and annual certifications of regulatory compliance
- Protect data in transit and at rest; as a protective measure encryption is specified as well as alternative solutions approved by the CISO in case encryption is not feasible
- Notify the NYDFS when a breach occurs no later than 72 hours
- Engage a Chief Information Security Officer internally or through a third-party provider to conduct the cyber security program
- Make sure that third party organizations having access to their Information Systems also adhere to the NYDFS regulation
Across the world, new cybersecurity regulations emerge and others are strengthened, demonstrating once again that cybersecurity is becoming a pressing in the financial, economic, political or social area. Some organizations are forced to step up their game, many of them must catch up years’ worth of work in a few months and others are just formalizing what they have already implemented. A risk-based approach is encouraged by the NYDFS regulation, the risk assessment providing the basis for actions to be taken to address revealed vulnerabilities.
Encryption is assigned great importance and protecting data in transit and data at rest is also stressed out, making Data Loss Prevention software one of the relevant solutions to be enforced. For more information about the NYDFS regulation, visit the DFS website and their FAQ section.