March 1, 2018 marks the end of the one-year transition period for the New York Department of Financial Services (NYDFS) cybersecurity regulation. The passage of this date means affected organizations — including banks, insurance companies, and other financial services companies licensed by or operating in New York State — must be in compliance with a raft of security rules intended to protect non-public information from cyberattacks and data loss.
The landmark NYDFS rules (officially known as 23 NYCRR Part 500) go into effect on a rolling basis, to give covered entities time to upgrade their security policies and procedures to meet compliance. The initial set of compliance requirements focus on risk assessment and reporting, penetration testing, employee training and monitoring, and access management.
According to the NYDFS, covered entities must be in compliance with sections 500.04(b), 500.05, 500.09, 500.12, and 500.14(b), by March 1, 2018. Additional requirements will go into effect in September 2018, including requirements for securing internally developed and third-party applications.
Below we offer a summary of the NYDFS rules covered entities must comply with as of March 1, 2018.
The chief information security officer (CISO) for covered entities must give an annual report to the organization's board of directors, or a senior officer if no such governing body exists. The written report should cover the overall effectiveness of the cybersecurity program, material cybersecurity risks, and material cybersecurity events within the period covered by the report.
Covered entities must conduct monitoring and testing to assess the effiectiveness of their security. Security programs should include continuous monitoring for security events, as well as penetration tests and vulnerability assessments. Penetration testing should be conducted at least annually, based on the entity's risk assessment. Vulnerability assessments, conducted at least bi-annually, should include systematic scans or reviews to find publicly known vulnerabilities in the entity's information systems.
Covered entities must conduct period risk assessments to inform the design of the cybersecurity program. These risk assessments must consider the impacts of evolving technologies and emerging threats. Risk assessments must be conducted in accordance with written policies and procedures, which must address how risks will be mitigated or accepted, and how the entity will address the risks.
Security controls, such as multi-factor authentication, must be in place to prevent unauthorized users from accessing non-public information and systems.
Covered entities must put in place policies and procedures for monitoring the activity of authorized users, and for detecting unauthorized access to non-public information and information systems. They must also provide periodic cybersecurity awareness training for employees.
Among the requirements for compliance going into effect in September 2018, covered entities must have policies and procedures in place for securing the software applications they develop or purchase. The regulation requires organizations to implement standards to ensure the use of secure coding best practices for internally developed applications, and procedures for assessing or testing third-party software used in the organization's IT environment.
You should check with your compliance and legal departments for complete information on how you may be required to comply. The following Veracode products and services may help you secure your internally developed and third-party software, as part of a complete cybersecurity program.
To learn more about securing all the applications you develop or assemble from third-party code, and the applications you buy, download our guide for getting started with an application security program.
Read our FAQ for more information about who is affected by the regulation, and read our new guide explaining how you might meet the compliance requirements: Navigating the New York Department of Financial Services Cybersecurity Regulations.