Final NY DFS cybersecurity regulations signed into law

Authored by: Chris Tait and Russ Sommers

The New York Department of Financial Services’ (NY DFS) cybersecurity regulations were signed into law on Feb. 16, 2017. These new sweeping regulations will pose some challenges for financial services organizations. What previously were optional best practices, now are law.

What are the effective dates?

The regulations went into effect March 1, 2017 with a transitional period to comply ranging up to two years – a relatively short time frame for compliance considering the difficulty of implementing specific requirements.

Who is affected?

All financial services entities that do business in the State of New York fall under the scope of the regulations.

What are the major requirements?

  1. Periodic risk assessment (Section 500.09)
    The basis for many of the law’s other requirements starts with an entity’s risk assessment. Traditionally, risk assessments are performed on an annual basis for many entities, however, the law requires periodic risk assessment to address ongoing changes to the entity’s environment. This could serve as a challenge for organizations to identify the triggering events that would require a refresh of their risk assessment and corresponding adjustment of their controls.
  2. Annual penetration testing and bi-annual vulnerability assessments (Section 500.05)
    While vulnerability and penetration testing are fairly common in mature cyber programs, the trend is to move to continuous monitoring and assessment. The law states that ‘absent effective continuous monitoring or effective systems to identify changes that may create vulnerabilities’, entities should perform the assessments according the defined schedule. The more challenging part of this requirement will be the development of a vulnerability management program to consistently address the vulnerabilities in an effective manner on a regular basis.
  3. Encryption of nonpublic information (Section 500.15)
    While the law does not require encryption if it is deemed infeasible, organizations still need to evaluate the feasibility and develop/implement compensating controls to protect the data if they can’t encrypt the data. While this may sound easier said than done, it will be important for entities to document their assessment and not just jump to the conclusion that compensating controls are the most appropriate solution given their systems and architectures.
  4. Third party service provider security policy (Section 500.11)
    Companies will need to identify and assess the risk of using third parties with access to nonpublic information. This will be a challenge for many organizations and is reflected in the two year transitional period. This provision was cited as one of the highest concern areas for implementation by respondents in a recent poll conducted by Baker Tilly.

Key changes and considerations

Organizations should assess their current policies and practices for readiness, and then create a plan for implementation of the phased requirements.

Many organizations may have portions of the regulations already in place through various frameworks. Our specialists have created a comparison chart to help you in identifying areas in which you may already have policies in place. You can download the cybersecurity regulatory comparison chart here.

For more information on this topic, or to learn how Baker Tilly financial services industry specialists can help, contact our team.