Phase 2 of NY Cybersecurity Regulation is due by March 1, 2018

This is the second part of a 3-part instructional series from 24By7Security on the New York State Cybersecurity Regulations. 

This 3-part instructional series addresses requirements that New York Department of Financial Services (NYDFS) introduced as NY CRR 500 (Part 500 of Title 23 of the Official Compilation of Codes, Rules and Regulations). There are 23 sections, 15 of which specifically deal with Cybersecurity requirements.

Get the Phase 3 requirements download (click above)

Any entity subject to the Banking, Insurance and/ or Financial Services laws in New York State, is considered a covered entity for the purpose of compliance with NY CRR 500.

Some key definitions that are part of this regulation are:

• Covered entities – are the financial institutions subject to this regulation as they are subject to the Banking, Insurance and/ or Financial Services laws in New York State.
• Third Party service providers - are vendors providing services to Covered Entities that as part of this maintain, process or otherwise access Nonpublic information as part of their work for the Covered Entities.
• Affiliates – are subsidiaries of covered entities.
• Nonpublic Information – is business information of the CE, as well as PII (Personally Identifiable Information) and PHI (Protected Health Information).

There are 5 sections of the regulations that address the various Cybersecurity activities that covered entities should be doing a part of the implementation of this phase. You will see in the PDF available for download in this article, what these sections entail. Major dates for this phase begin with February 15, 2018, by when covered entities must file their first certificate of compliance with the NYDFS Superintendent’s Office. Covered entities are now required to submit a certificate of compliance on an annual basis starting February 2018. The form for this is included with the regulations.

Section 500.04(b) provides requirements for CISOs to report to the Board on the Cybersecurity program and Cybersecurity risks. Section 500.05 discusses alternatives for including monitoring and testing to assess the effectiveness of the Cybersecurity program. Section 500.09 refers to the necessary practice of conducting periodic Risk Assessments of information systems that should provide input into the Cybersecurity program. Section 500.12 handles controls using multi-factor authentication and Section 500.14(b0 addresses the necessity to conduct regular Cybersecurity Awareness Training.

The New York Cybersecurity Regulations put forth by the Department of Financial Services are a comprehensive set of step-by-step requirements that assist covered entities in setting up and maintaining a strong Cybersecurity posture which is essential in today’s world of constant cyber crime.   We hope that you find this blog and our download useful as a guideline to help you get compliant, or even as a checklist to verify your current state.

This is Part 2 of an instructional series brought to you by 24By7Security, on compliance with the New York State (NYDFS) Cybersecurity Regulations NY CRR 500, covering items that should be complied with by March 1, 2018.   Look out for Part 3 of this instructional series covering items that should be complied with in the coming months.