Wondering about how to comply with New York DFS Cybersecurity regulations? You’re not alone.
New York is a pioneer in instituting regulations for cybersecurity in the financial services sector. Anyone subject to the banking law, insurance law or financial services law needs to accomplish goals to show compliance.
So what you have to do?
Here are four important elements of working with these cybersecurity rules.
Create a Cybersecurity Program
Each business will need to create a cybersecurity program that’s based on a risk assessment. That means researching what could happen to jeopardize sensitive data within your business model. It means creating backups for crisis situations which the state refers to as “cybersecurity events.” New York regulations direct businesses to implement “defensive infrastructure” to protect key data.
The cybersecurity program also needs to cover certain reporting requirements to the Department of Financial Services (DFS). The cybersecurity program is one of the most labor-intensive things you’ll do to get compliant, and stay compliant, with the New York cybersecurity regulations. But it’s manageable given a few key resources, such as an outside consultant who can help out if necessary.
New York State also wants your business to write cybersecurity policy into your operations.
There is a long list of what this policy needs to include. It has to cover data governance, asset and device management, and importantly, access controls for users. It has to cover disaster recovery and implement certain kinds of systems monitoring. Customer data privacy is critically important.
There is even a need to write policy around vendor and service provider contracts. And all of this seems extensive, but much of it is common sense when it comes to writing and implementing policies that show you’re on board with data security standards.
Gatekeeping: Control Access for a Business
Another segment of New York cybersecurity law, part 500.07, mandates that financial institutions need to directly control user access to their systems to protect “nonpublic information” — this means creating deliberate identity and access management programs, and reviewing them once in a while for effectiveness. With all of the modern identity and access management tools at a company’s disposal, this shouldn’t be the hardest part of New York DFS cybersecurity standard compliance.
Building in Protocol for Notifications
As a financial institution, you’ll also have to comply with some regulations around notifications to government parties. The business will have to have a plan to notify DFS within 72 hours of any cyber security event. There are also regulations regarding the SEC and FINRA, and other regulatory agencies.
Do these four things, and you’ll be well on your way to a good relationship with New York cyber security regulatory agencies. Ask Fractional CISO about getting all of what you need to be in good standing in the state of New York, and confident about the digital safety of your enterprise.