Posted on Feb 22, 2019
In September 2016, the New York Department of Financial Services (NY DFS) announced its landmark Cybersecurity Regulation, creating the first regulatory cybersecurity-specific compliance requirement. Enforced beginning on February 15, 2019, the NY DFS Cybersecurity Regulation requires all Covered Entities and licensed persons who are not fully exempt from the Regulation to submit a Certification of Compliance. The document provides an attestation covering compliance for the 2018 calendar year. Despite being enforceable for two years, NY DFS filed its first charges in July 2020. With the agency now showing its teeth, understanding the NY DFS cybersecurity regulation requirements can protect data and reputation.
The NY DFS Cybersecurity Regulation, 23 NYCRR 500, intends to promote supply chain cybersecurity across the financial services industry by creating a rigorous risk-based approach to cybersecurity and vendor risk management.
The law establishes sixteen cybersecurity compliance requirements including:
Organizations that need to meet NY DFS Cybersecurity Regulation compliance must complete the Certification of Compliance confirming compliance using the DFS Portal where they enter the following information:
This entry serves as an attestation that the organization has engaged in the appropriate compliance requirements even though no documentation needs to be uploaded to the portal. However, Under 23 CRR-NY 500.2 “Cybersecurity program,” the law notes that regulated entities must make all documentation available to the superintendent upon request. Ultimately, while the law does not specify an audit requirement, the attestation provided in the Certification of Compliance indicates that the appropriate audit trail documents exist and can be provided to the superintendent.
Although most financial services organizations need to meet NY DFS Cybersecurity Regulation compliance, a few limited exemptions exist.
Under the law, limited exemptions exist for small businesses. To qualify, a company must meet at least one of the following requirements:
These organizations are only exempt from the following sections:
Any covered entity employees, agents, representatives, or designees who would also be considered covered entities can use the original company’s cybersecurity program and need not create their own.
Another set of limited exemptions can be applied to a covered entity that neither directly nor indirectly incorporates information systems into its business and does not nor is required to directly or indirectly manage any NPI. These organizations are exempt from:
Additionally, organizations under article 70 of the Insurance Law that only manage their corporate parent company’s non-public information are exempt from:
SecurityScorecard enables covered entities to monitor their own security posture as well as that of their vendors. Our platform uses outside-in approach measures risk across ten categories and provides organizations with easy-to-read ratings. The A-F rating scale applies to the overarching security posture and to the individual risk categories so that companies can prioritize risk mitigation strategies.
Check out our list of 3 top third party risk management (TPRM) challenges, and the actions you can take to bolster your program. Learn more.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
Co-founder and CEO, Alex Yampolskiy, speaks about the importance of measuring and acting on key indicators of cybersecurity risk.
You’ve invested in cybersecurity, but are you tracking your efforts? Check out our list of 20 cybersecurity KPIs you should track. Read more.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.