Make sure you comply with the new DFS regulations
In this blog, we’re exploring one of the requirements that DFS-regulated companies need to adhere to, to comply with the new cybersecurity regulations that were enacted in March.
The new regulation is in response to the cyber-criminals seeking to exploit technological vulnerabilities in companies, to gain access to sensitive electronic data. These breaches can cause significant financial losses for DFS-regulated entities, as well as New York consumers whose private information may be revealed and/or stolen for illicit purposes.
There is a comprehensive list of requirements included in the regulation that is designed to protect customer information in the financial services sector. You can read our overview of the regulation here. The DFS has also released an FAQ which you can find here. To comply, you should have a well-designed framework, with the right solutions in place to reduce your company's risk of a cyber-attack.
One of the most crucial guidelines in the regulation is that companies should have written cybersecurity policies. As detailed in Section 500.03, covered entities should set forth policies and procedures for the protection of information systems and nonpublic information stored on those information systems.
The Cybersecurity Policy - What you need to know
The cybersecurity policy should be based on your risk assessment and address the following areas, applicable to your company's operations:
- Information security
- Data governance and classification
- Asset inventory and device management
- Access controls and identity management
- Business continuity and disaster recovery planning and resources
- Systems operations and availability concerns
- Systems and network security
- Systems and network monitoring
- Systems and application development and quality assurance
- Physical security and environmental controls
- Customer data privacy
- Vendor and Third Party Service Provider management
- Risk assessment
- Incident response
The policy can either be separated into different documents or can be built into one comprehensive policy that covers the entire organization. You might consider writing separate policies initially and then combining them into one master policy.
Starting a policy from scratch is a tough task, so to make things easier we’ve put together a free cybersecurity policy template that you can download here. The Written Information Security Policy (WISP) sets forth a procedure for evaluating and addressing electronic and physical methods of accessing, collecting, storing, using, transmitting, and protecting personally identifiable information (PII) and sensitive company information.
The free cybersecurity policy template will give you a good starting point to develop your own cybersecurity policy to make sure you comply with the new regulations. INVAR Technologies provide full cybersecurity programs and support for DFS-regulated companies in New York and New Jersey. Schedule a call here to speak with one of our consultants.
This blog is part of a 3-part series on the New York State DFS cybersecurity regulation. Sign-up for updates here so you don’t miss out on new articles.
Key Dates for the DFS Cybersecurity Regulation
- March 1, 2017 - The regulation, 23 NYCRR Part 500 became effective.
- August 28, 2017 - Transitional period of 180 days ends. Entities are required to be in compliance unless otherwise specified.
- September 27, 2017 – Initial period of 30 days for filing Notices of Exemption under 23 NYCRR 500.19(e) ends. Covered Entities that qualify for exemption under 23 NYCRR 500.19(a)-(d) as of August 28, 2017 must file a Notice of Exemption on or prior to this date.
- February 15, 2018 - Covered Entities are required to submit the first certification under 23 NYCRR 500.17(b) on or prior to this date.
- March 1, 2018 - Transitional period of one year ends. Covered Entities are now required to be in compliance with sections: 500.04(b), 500.05, 500.09, 500.12 and 500.14(b).
- September 3, 2018 - Transitional period of eighteen months ends. Covered Entities are required to be in compliance with sections: 500.06, 500.08, 500.13, 500.14(a) and 500.15.
- March 1, 2019 - Transitional period of two years ends. Covered Entities are required to be in compliance with the section: 23 NYCRR 500.11.
It’s not too late to ensure compliance. Speak to us today about our cybersecurity packages. We have two solutions available, a Do-It-Yourself package and a full-service solution for DFS-regulated companies.