The State of New York is the first state in the country to issue a regulation that specifically requires certain cybersecurity policies, procedures, controls and personnel for financial firms. This regulation affects all organizations regulated by the New York State Department of Financial Services (DFS). That includes everyone registered under the Banking Law, Insurance Law or the Financial Services Law. This blog post is the first in a series that will be specifically focused on what Registered Investment Advisors (RIAs) in the State of New York have to do to comply with the NY DFS Cybersecurity regulations.
This first post is targeted to small RIAs and what they need to do in 2017 to comply with the recent NY DFS Cybersecurity regulations. While there are many parts of the regulation, there are only five parts that small RIAs should be focused on initially. All of the sections outlined below must be implemented by August 28, 2017.
1) Exemptions (500.19)
First, who is a “small” RIA? The exemptions in the regulation are based on one of the qualifying criteria:
- Organizations that have fewer than ten employees including contractors.
- Organizations that have less than $5,000,000 in revenue.
- Organizations with less than $10,000,000 in assets.
If you are close to any of these thresholds then you should check the fine print of the regulation to make sure that you are not over the limit. If your organization does not meet any of the exemptions then check out What large RIAs need to do to comply with NY State DFS regulations to see which regulations apply to your firm.
Organizations that qualify for the exemption still have a number of regulations that they must comply with in 2017. First, you must actually get the exemption. That one, should be relatively easy. Fill out the following form and submit it to the DFS Portal.
The employee exemption is 500.19(a)(1), the revenue exemption is 500.19(a)(2) and the assets exemption is 500.19(a)(3). The regulation says you should file within 30 days of determination that the organization is exempt. You should target filing in conjunction with the effective date of these regulations in August 2017.
2) Cybersecurity Program (500.2)
Once the exemption is out of the way the next part is to focus on the Cybersecurity Program. The Cybersecurity Program should be “designed to protect the confidentiality, integrity and availability” of the Information Systems.
The Cybersecurity Program should be based on a Risk Assessment. It needs to identify and assess internal and external cybersecurity risks that may threaten the security of Nonpublic information. It should utilize defensive infrastructure to protect the information systems and data. It should detect, mitigate and recover from Cybersecurity Events.
The program should include the capability to fulfill regulatory reporting obligations including making all cybersecurity documentation available to DFS.
If that seems like a lot, it is. This is probably the meatiest part of the regulation for small RIAs to meet in 2017.
3) Cybersecurity Policy (500.3)
Every organization needs to implement and maintain a written cybersecurity policy. The policy should cover the following topics:
(a) information security
(b) data governance and classification
(c) asset inventory and device management
(d) access controls and identity management
(e) business continuity and disaster recovery planning and resources
(f) systems operations and availability concerns
(g) systems and network security
(h) systems and network monitoring
(i) systems and application development and quality assurance
(j) physical security and environmental controls
(k) customer data privacy
(l) vendor and Third Party Service Provider management
(m) risk assessment
(n) incident response
While such a big list looks imposing, formalizing what your organization does in the area (as long as it is reasonable) goes a long way to writing policies. There are third parties that can provide such policies that can be easily modified to form to your organization’s business needs.
4) Access Privileges (500.07)
Organizations need to limit user access to systems that provide nonpublic information. They should review the access privileges periodically. This regulation should be one of the easiest to comply with.
5) Notices to Superintendent (500.17a)
Anytime your organization experiences a cybersecurity event then you need to notify DFS within 72 hours. There are two classifications for a cybersecurity event. The first is anytime you are required to notify a government agency or regulatory body whether it be the SEC, FINRA, New York state or other regulatory agency. The second classification for a cybersecurity event is when there is a reasonable likelihood that the event will materially affect your business. In either case you must notify DFS.
The recent regulation will likely impact your organization. Outlined above are the key parts of the regulation for small RIAs in 2017. (2018 has another set of requirements.) By preparing now you can be ready for August when the first wave of NY DFS cybersecurity regulations will be in effect.
Don’t have the time to sort this all out? Give Fractional CISO a call. We can help you put your Cybersecurity Program in place, helping you set your policies and provide a roadmap for meeting the NY DFS Cybersecurity regulations.