New York State has passed strict new cybersecurity requirements for financial services companies doing business in New York, and affected organizations will need to prove compliance with the regulations beginning in February 2018.
New York Governor Andrew Cuomo said the "first-in-the-nation" cybersecurity regulations are necessary to "guarantee the financial services industry upholds its obligation to protect consumers and ensure that its systems are sufficiently constructed to prevent cyber-attacks to the fullest extent possible."
You may be wondering what the regulations say and how to comply. We put together this brief FAQ to help you understand what the regulations cover, and what protections you should consider to meet compliance requirements. Although this doesn’t constitute legal advice, we hope this FAQ helps you begin the process of planning your next steps for compliance.
The new cybersecurity regulations by the New York State Department of Financial Services (DFS) are officially known as Part 500 of Title 23 of the Official Compilation of Codes, Rules and Regulations of the State of New York, or 23 NYCRR 500 for short.
The DFS is the regulatory body that oversees financial services companies licensed by or operating in New York State. Organizations covered by the new cybersecurity regulations include banks and trust companies, insurance companies, mortgage lenders, investment companies, brokers and other financial services providers. There are some exemptions for some smaller organizations.
The regulations went into effect on March 1, 2017. There is a 180-day grace period for companies to comply. Affected organizations must provide a Certification of Compliance to the DFS beginning February 15, 2018.
The regulations include a comprehensive list of requirements for protecting information systems from cybersecurity threats and unauthorized access of “non-public information.” Below is a partial list of some of the main requirements.
Covered entities must:
Strategic organizations understand that they cannot treat compliance as an end in itself, but as the outcome of an ongoing process. The CA Veracode Application Security Platform provides a variety of methods to assess application security, compliance and development team reporting, and secure development training. CA Veracode helps deliver continuous compliance by:
Below are some possible security solutions you should consider when assessing your risk and compliance requirements.
You should check with your compliance and legal departments for complete information on how you may be required to comply.
View our new guide for continued learning: Navigating the New York Department of Financial Services' Cybersecurity Regulations
This post was updated in April 2017 to reflect that the regulations are in effect as of March 1, 2017.