The overarching goal of this regulation is simple – the regulation aims to, “promote the protection of customer information as well as the information technology systems of regulated entities,” amidst today’s evolving threat landscape with an ever-increasing number of cyberattacks. A regulated entity must, “ensure the safety and soundness of the institution and protect its customers.”
The regulations require covered entities to protect nonpublic information by enacting cybersecurity measures that mitigate the risk of a cyberattack. Nonpublic information includes personally identifiable information, personal health information, and confidential business information. Companies must assess their specific risk profile, and design a comprehensive program that robustly addresses its risks. Additionally, covered organizations must file an annual report confirming compliance.
So, how can you meet compliance or check if you have met all requirements? Best practices for working towards compliance the NYDFS Cybersecurity regulation are outlined below. However, we highly recommend consulting with a qualified attorney or Cybersecurity professional to ensure that you have met all requirements.
What do you need to do to comply with the NYDFS Cybersecurity regulation?
1. Have a Documented Cybersecurity Policy. The first step is simply having a documented cybersecurity policy. This needs to be approved by your company’s governing body and clearly show how you are protecting personally identifiable information, personal health information, and confidential business information. Written procedures outlining secure practices for the use of applications must also be documented.
Your cybersecurity policy should accomplish 6 core functions:
- Identify and assess internal and external cybersecurity risks that may threaten the security or integrity of nonpublic information stored on your Information Systems
- Use defensive infrastructure and the implementation of policies and procedures to protect your Information Systems from unauthorized access, use or other malicious acts
- Detect cybersecurity events
- Respond to identified or detected cybersecurity events to mitigate any negative effects
- Recover from cybersecurity events and restore normal operations and services
- Fulfill applicable regulatory reporting obligations
If any of these policies feel overwhelming, or if you are unsure your company has met all of them fully, we recommend consulting with an experienced cybersecurity professional. Please feel free to contact us for assistance.
2. Appoint a Chief Information Security Officer (CISO). According to the guidelines, an outside company (such as Touchstone) can fill this role. The CISO must report annually to your company’s governing body (most often a board of directors) on the cybersecurity policies and risks. To the extent applicable to your organization, a CISO can help ensure you have policies in place that are in line with the regulation, including:
Data governance and classification
- Information security
- Asset inventory and device management
- Disaster recovery planning
- Systems and network security/monitoring
- Physical security and environmental controls
- Customer data privacy
- Risk assessment and incident response
3. Conduct Risk Assessments. This entails conducting a periodic Risk Assessment of your Information Systems, and assessing the need for updates to your cybersecurity policies to address any changes in your business operations.
4. Encryption. Controls, including encryption, are mandated to protect nonpublic information at rest and in transit.
5. Employee Training and Certification. All employees implementing the regulations including contractors must be trained and certified. Additionally, you must limit user access privileges to Information Systems with access to nonpublic information.
6. Penetration Testing and Vulnerability Assessments. This involves annual penetration testing and bi-annual vulnerability assessments.
7. Third-Party Vendor Requirements. If your company deals with third-party vendors, you are required to have a set of documented policies to safeguard nonpublic information that any third-party vendor has access to.
8. Incident Response Plan. Have a detailed incident response plan prepared on what your company’s response will be within 72 hours if a security breach does occur. If an incident does occur, you must report the event to the DFS through the DFS portal.
9. Multi-factor Authentication. This must be implemented on all accounts with access to protected information.
10. Data Retention Requirements. A documented set of procedures for the safe disposal on a periodic basis of nonpublic information that is no longer used for business operations is required.
11. Submit a Yearly Certification to the NYDFS. This includes employee security awareness training, penetration testing results, and a risk and vulnerability assessment. Covered entities must file the Certification of Compliance each calendar year. This can be done through the DFS secure online portal. This year, the deadline was June 1st.
Without meeting compliance requirements, you are also at risk of incurring legal problems. Although the DFS has yet to impose a fine for inadequate cybersecurity compliance, 2020 may mark a change in this – in 2019, the DFS formed a Cybersecurity Division headed by a former federal cybercrime prosecutor. The purpose of this action was to lead enforcement of the Cybersecurity Regulation, and increased enforcement this year is anticipated. These steps aren’t draconian, and should represent the beginning of your cybersecurity program rather than its end.