Cyber Security Compliance Requirements Deadline March 1st, 2019
New York State’s Cybersecurity Regulations are said to be the first of its kind outlined by a state and the toughest in the country.
In March 2017, New York State decided to step up its cybersecurity regulations for any Department of Financial Services (DFS) related entity or licensed person in an attempt to fend off cyber attacks against the financial industry. The two year grace period is coming to a close, with compliance requirements taking effect March 1, 2019.
The purpose of the regulation is to create effective administrative, technical, electronic and physical protection to safeguard the personal information of the agency’s clients and employees, the agency’s proprietary and confidential information, the physical security of its premises, and the integrity of its electronic systems. In a nutshell, organizations are tasked with retaining a Chief Information Security Officer, reporting any cybersecurity incidents within 72 hours and using multifactor authentication.
Below is a list of steps an organization should take to ensure they are in compliance.
Establish a Cyber Security Program – Organizations will develop a program to ensure the confidentiality, integrity, and availability of information systems that perform five core cybersecurity functions including:
- Identification of cyber risks.
- Implementation of policies and procedures to protect unauthorized access/use or other malicious acts.
- Detection of cybersecurity events.
- Responsiveness to identified cybersecurity events to mitigate any negative events.
- Recovery from cybersecurity events and restoration of normal operations and services.
Adopt a Cyber Security Policy – Organizations must adopt a written cybersecurity policy, setting forth policies and procedures for the protection of their information systems and nonpublic information that addresses, at a minimum, the following:
- Information security.
- Data governance and classification.
- Access controls and identity management.
- Business continuity and disaster recovery planning and resources.
- Capacity and performance planning.
- Systems operations and availability concerns.
- Systems and network security.
- Systems and network monitoring.
- Systems and application development and quality assurance.
- Physical security and environmental controls.
- Customer data privacy.
- Vendor and third-party service provider management.
- Risk assessment.
- Incident response
Identify a Chief Information Security Officer (CISO) – Organizations must appoint a CISO to oversee the implementation of the cyber security program. The CISO is required to report biannually to the organization’s Board of Directors.
Third-Party Service Providers – Organizations must have policies and procedures designed to ensure the security of information systems and nonpublic information accessible to, or held by, third-parties and include the following:
- Identification and risk assessment of third-parties with access to such information systems or such nonpublic information.
- Minimum cybersecurity practices required to be met by such third-parties.
- Due diligence processes used to evaluate the adequacy of cybersecurity practices of such third-parties; and
- Periodic assessment, at least annually, of third-parties and the continued adequacy of their cybersecurity practices..
By February 15, 2019, DFS covered entities will be required to file a second annual Certification of Compliance for calendar year 2018. In addition, any covered entity that is entitled to an exemption must file a Notice of Exempt status by February 15, 2019, for the calendar year 2019 prior to filing the annual certification for calendar year 2018.
Antalek and Moore are here to assist you and help bring your organization into compliance with this new regulation. Give us a call this week to discuss your needs and concerns.