The new NYDFS Cybersecurity Regulations apply to all insured businesses, including banks, mortgage companies, and insurance organizations. As a result, the financial sector should have a plan to deal with security breaches and efficient ways to disclose such problems.
Cybersecurity regulations apply to all New York State-licensed, registered, bonded, or otherwise regulated financial institutions. Regulated enterprises need third-party service providers to abide by the same rules.
The NIST Cybersecurity Framework (CSF) and the NYDFS cybersecurity regulations must be adhered to when creating an effective cybersecurity program. If you wish to protect yourself from these threats, there should be a clear understanding of your company’s degree of cybersecurity risk management.
Because then you will need a defensive system in place. Truly speaking, if the proper steps are taken, it is feasible to detect a cybersecurity issue. Moreover, when a security breach is discovered, it must be handled immediately, and following security regulations will assist. A cyber-event may have left you unable to do some things, but these instructions will help you get back in the game.
Many of the Regulation’s regulations do not apply to New York enterprises with ten workers or annual sales of less than $5 million or assets of less than $10 million.
NYDFS Cybersecurity – A Quick Overview
A Chief Information Security Officer is required under the NYDFS Cybersecurity Regulations. Each of these aspects has its own set of criteria and requirements.
NYDFS has not been able to address questions about non-compliance. Non-compliance has so far resulted in no fines. As a result, people who breach the new legislation shortly will face penalties. If a company wants to stay competitive, it needs a CISO, regular risk assessments, a cybersecurity plan aligned with NIST, and investments in third-party risk management and fourth-party risk management programs.
NYDFS Cybersecurity Regulations
According to NYDFS laws, the following are a few significant points:
- The NYSDFS cybersecurity regulations requirements for breach reporting span a wide range of cyber events. Any effort to obtain access to or disrupt or abuse the system must be reported to the firm.
- DoS and ransomware are only two examples of post-exploitation tactics. It is essential to look for monitoring solutions to identify illegal access to crucial information.
- You will need to get some training to work as a cyber team member. In order to “address contemporary concerns,” firms must train their employees in cybersecurity.
- It is not an exception for cybersecurity workers to stay up with the latest developments in their field. New York City’s financial institutions may have to spend more on training due to these new regulations.
- The first step in doing a risk assessment is to sort the data. Find out how much personal information (PII) the firm has before analyzing the risk. As a result, only individuals with a legitimate need for the information have it available to them.
- Regular risk assessments and the detection of cyber threats and vulnerabilities may be accomplished via continuous security rating software. In response to FAQs about the NYDFS Cybersecurity Regulations, establish a daily compliance team for the NYDFS Cybersecurity Regulations, reporting to the CISO.
- Regulations issued by the Department of Justice under the number 23 NYCRR 500 aim to enhance global cyber resilience and data security.
Take Away Points
Section 500.9 is the one in question here. Risk evaluations are required for several government regulations. As a result of this change, MFA, NII encryption, training, and supervision will all be impacted to varying degrees. There will be new requirements for TPSPs to follow regarding security.
When calculating acceptable losses, the Department of Financial Services advises against using risk assessments. Effective risk assessment is directly tied to a company’s ability to comply with 23 NYCRR 500. Concerning ensuring compliance, both internal and external assessments are necessary.
Non-public Information and Risk Assessment have been added to the DFS’s name, although the majority of its functions remain the same. Any attempt to acquire unauthorized access to an information system or its data, whether successful or not, is referred to as a “Cybersecurity Event.” Within 72 hours of their occurrence, these occurrences must be detected and investigated. Also, keep a record of these incidents and respond quickly.