The New York State Department of Financial Services (NYS DFS) just released the final version of its new cybersecurity regulations that affect organizations doing business under New York banking, insurance and financial services regulations. The new regulation is designated 23 N.Y.C.R.R. Part 500, and goes into affect on March 1, 2017.
Paul Greene, an attorney at Harter Secrest & Emery, in a recent blog post mentioned that the main changes in the regulation from earlier drafts is the move to a more risk-adjusted approach to cybersecurity, rather than a purely prescriptive approach. Rather than applying a one-size-fits-all approach, the NYS DFS is allowing Covered Entities to define the risk associated with their nonpublic information before deciding on the best way to protect it. Questions remain, however, concerning the scope and reach of these regulations.
“New York is the financial capital of the world, and it is critical that we do everything in our power to protect consumers and our financial system from the ever increasing threat of cyber-attacks,” New York Governor Andrew M. Cuomo said. “These strong, first-in-the-nation protections will help ensure this industry has the necessary safeguards in place in order to protect themselves and the New Yorkers they serve from the serious economic harm caused by these devastating cyber-crimes.”
While the regulation covers everything from protecting nonpublic information to reporting on cybersecurity events, the risk based approach to compliance will most likely affect encryption, access control, audit and reporting sections of the regulation. While most organizations agree they need to improve their cybersecurity, many are not sure what information they need to protect and how to protect it.
Part of the challenge is understanding what you have and where it is. While many financial organizations know what is in a database or other structured information system, there are documents containing nonpublic information everywhere. As most organizations go about their daily business, employees and contractors create documents with sensitive information and share them through email, file sharing systems, instant messaging and many other methods. These end up on mobile devices, laptops, servers, cloud repositories and external systems. Finding them and determining their content is step one in understanding how to protect them.
Another area not completely defined, per Paul Greene, is how Covered Entities will report material Cybersecurity Events within the 72-hour window contained in the regulations. DFS does not yet have a system to do this. It might be a secure reporting portal or other online system, but as of today this is not in place.
The first deadline for compliance is 180 days from their effective date. That is August 28, 2017. At that time financial organizations are subject to certain parts of the regulation, with the more difficult areas allowing 12 and 18 months for compliance. I assume by August the DFS will have a way to administer the regulations.
If you are regulated in New York state by this regulation, you need to begin the process of compliance to improve your cybersecurity posture.