What is NYSDFS?
The New York State Department of Financial Services ( NYSDFS ) is the department responsible for regulating financial services and products for the New York State government. This includes the services subject to New York insurance, banking and financial service laws.
On August 28, 2017, NYSDFS Covered Entities had to comply the following requirements:
~ A Cybersecurity Program must be maintained
~ A Cybersecurity Policy must be drafted and implemented
~ A Chief Information Security Officer must be designated
~ Access Privileges must be limited
~ Cybersecurity Personnel must be engaged, trained and updated
~ Incident Response Plan must be drafted and established
~ Notices to Superintendent of certain cybersecurity incidents will be required
Coming in 2018
The First Annual Compliance Certificate.
OnFebruary 15, 2018, a significant requirement of the Regulation will begin. A Senior Officer or the Board of Directors must certify that the Covered Entity is in compliance with all applicable requirements of the Regulation. The person or people making the certification, which will be submitted electronically on a prescribed form, will need to be identified.They additionally will need to prove that the certificate is truthful, this requirement should be part of the planning and not left until the deadline.
By the next transition date of March 1, 2018, each Covered Entity will need to have completed its first periodic risk assessment under written policies and procedures, and document its findings. Additionally, these Entities must meet the following requirements of the Regulation:
~ First annual requirement for CISO’s report to the Board
~ Continuous monitoring or periodic penetration testing and vulnerability assessments
~ Multi-factor authentication or risk-based authentication
~ Cybersecurity awareness training for all personnel.
Most of the remaining requirements of the Regulation must be completed by September 3, 2018, except the requirement to draft and implement written policies and procedures to manage security risk presented by third-party service providers, for which the transition date is March 1, 2019. By September 3, 2018 Covered Entities must draft and implement policies and procedures limiting the retention of certain data, and provide for its secure disposal. Covered Entities must complete the following by September 3, 2018:
~ Establish and document an audit trail
~ One that can recreate material financial transactions, detect and respond to certain cybersecurity events
~ Draft and implement policies for security of applications used within the tech environment
~ Monitor activities of authorized users
~ Satisfy encryption requirements.
NYSDFS Risk Assessment and Gap Assessment
As part of NYSDFS, your organization is required to have a formal risk assessment from a qualified 3rd party firm. Our comprehensive assessments are designed to help you prepare for your NYSDFS audit, and our patented risk management methodology will save your company time and money by creating a customized control framework mapping, designed specifically for your organization.
NYSDFS Penetration Test
NightLion Security provides the advanced penetration testing services for web applications, databases, and internal infrastructure needed to protect your sensitive cardholder data and comply with NYSDFS.
NYSDFS Compliance Guide in XLS / CSV format
Check us out at www.securitycheckbox.com