The New York State Department of Financial Services (NYDFS) has launched a significant initiative to impose detailed Cyber Security requirements on covered financial institutions. The Final Rules, published here, go into effect on 1 March 2017.
The New York Department of Financial Services (NYDFS) has proposed regulations that require all financial services businesses operating in New York to develop and maintain a comprehensive Cyber Security program. The regulations impose significant, yet minimum Cyber Security requirements, and mandate board of director involvement and accountability.
Where does this have an impact?
The NYDFS proposed regulations apply to every business operating in New York that is required to have a “license, registration, charter, certificate, permit, accreditation or similar authorization” under New York’s banking insurance or financial services law.
Who are the Institutions regulated by DFS?
While this includes banks and insurers, it also includes related businesses. Brokers, including mortgage and insurance brokers, as well as bail bond agents, check cashers, non-profit credit counselors and budget planners, licensed lenders, premium finance agencies, and others, are potentially subject to the regulations. You can see the other NYDFS supervised businesses discussed here. Below you will find a brief definition of each of the above types of institution that we supervise and a brief description of the laws under which we regulate them.
- Banks & Trust Companies
- Budget Planners
- Charitable Foundations
- Check Cashers
- Credit Unions
- Domestic Representative Offices
- Foreign Agencies
- Foreign Bank Branches
- Foreign Representative Offices
- Health Insurers, Accident and Related Entities
- Holding Companies
- Investment Companies
- Licensed Lenders
- Life Insurance Companies
- Money Transmitters
- Mortgage Bankers
- Mortgage Brokers
- Mortgage Loan Originators
- Mortgage Loan Servicers
- New York State Regulated Corporations
- Premium Finance Agencies
- Private Bankers
- Property and Casualty Insurance Companies
- Safe Deposit Companies
- Sales Finance Companies
- Savings Banks and Savings and Loan Associations (S&Ls)
- Service Contract Providers
What Do You Need to Know?
A a first step, determine whether your organization is covered. Note, The scope of the regulations are broad, but there are exemptions.
Step 1 – Is my company exempt? If so, an exemption certificate of exemption must be filed with NYDFS within 30 days of that determination. **
1- “fewer than 10 employees, including any independent contractors of the Covered Entity or its Affiliates located in New York or responsible for business of the Covered Entity.” (Section 500.19(a)(1)).
2- Covered Entities with less than US$5M in gross revenue from its New York business operations (or its affiliates’ operations). Note – Some larger financial institutions with a smaller New York “footprint” may qualify for either (or both) of these new limited exemptions.
3- Certain captive insurance companies that do not control, use, or possess Nonpublic Information beyond that information relating to its parent and affiliate companies.
Step 2 – Retention a Chief Information Security Officer (CISO) must be designated no later than 28 August 2017.
Step 3 – Organizations need to understand and/or update their risk profile.
NOTE- The types of entities listed above receive only limited exemptions under the regulations.
How does this impact my business?
The requirements for Cyber Security program must serve six core functions:
- IDENTIFY INTERNAL AND EXTERNAL CYBER RISKS;
- USE DEFENSIVE INFRASTRUCTURE;
- DETECT CYBERSECURITY EVENTS;
- RESPOND TO AND MITIGATE IDENTIFIED OR DETECTED CYBERSECURITY EVENTS;
- RECOVER FROM CYBERSECURITY EVENTS AND RESTORE NORMAL OPERATIONS; AND,
- MEET REGULATORY REPORTING OBLIGATIONS.
In addition, the Cyber Security programs must include regular employee training on Cyber Security, and contain controls sufficient to monitor user activity and detect unauthorized user access.
When does this compliance go into effect?
The requirement dates for the Final Rules are as follows:
* September 1, 2018 is a Saturday. New York law provides that when a compliance date falls on a weekend or holiday, the due date is the next business day – in this case, Tuesday, September 4, 2018 (as Monday the 3 is Labor Day).
For several years, Digital4nx Group has been providing “Ethical hacking” Security assessments, which we define as, a service where we attack your network and computer systems using real-world tools and techniques in order to find security weaknesses. Having an independent team of experts audit your security is a valuable tool that is guaranteed to uncover vulnerabilities and greatly increase your level of security.
For many organizations and especially organizations regulated by DFS, Digital4nx Group will provide an annual service which consists of a set of proactive services designed to simulate a real-world attack on your network, without the end-goal of causing harm, in order to identify, prioritize and remediate information security issues and potential exposures which could cause various risks for the organization.
For more information, please give us a call or learn more about the program here and return the attached questionnaire for a fixed fee price.
Always seek experienced legal advice.