WHO IS AFFECTED BY THE NYDFS CYBERSECURITY REGULATION?

The NYDFS Cybersecurity Regulation applies to the following entities which are regulated by the Department of Financial Services:

 

  • State-chartered banks
  • Licensed lenders
  • Private bankers
  • Foreign banks licensed to operate in New York
  • Mortgage companies
  • Insurance companies
  • Service providers

 

NYDFS CYBERSECURITY REGULATION REQUIREMENTS

A cybersecurity program that complies with the new NYDFS Cybersecurity Regulation will align to the NIST

Cybersecurity Framework to:

The controls are sectioned into 18 different families:

  • Access Control
  • Audit and Accountability
  • Awareness and Training
  • Configuration Management
  • Contingency Planning
  • Identification and Authentication
  • Incident Response
  • Maintenance
  • Media Protection
  • Personnel Security
  • Physical and Environmental Protection
  • Planning
  • Program Management
  • Risk Assessment
  • Security Assessment and Authorization
  • System and Communications Protection
  • System and Information Integrity
  • System and Services Acquisition

The NYDFS Cybersecurity Regulation requires covered institutions to implement and monitor a documented cybersecurity policy. The policy must align itself with industry standards from ISO 27001. The policy coverages include information security, access controls, disaster recovery forecasting, systems and network security, data privacy for customers, and consistent risk assessments.

Organizations covered by the NYDFS Cybersecurity Regulation are also required to:

  • Organizations must enable encryption controls for sensitive data
  • Covered entities must certify their compliance with the regulations on a yearly basis
  • Multi-factor authentication must be implemented for inbound connections to the entity's network.
  • All cybersecurity incidents must be documented and reported
Share by: