Home > Security > New New York regulations will drive cybersecurity advances

New New York regulations will drive cybersecurity advances

September 27, 2017 author:

New regulations on cybersecurity have been published by the New York State Department of Financial Services. 23 NYCRR Part 500 will have a major impact on American business as it has serious requirements and mandates for all financial services companies doing business in New York state–which of course are almost all of them. A good article on the topic is is at https://digitalguardian.com/blog/what-nydfs-cybersecurity-regulation-new-cybersecurity-compliance-requirement-financial.┬áSignificant requirements include:

  • Policy & Program: Covered entities must instate and maintain a documented cybersecurity policy, and adopt a robust cybersecurity program, by August 28, 2017.
  • CISO: Designate a qualified Chief Information Security Officer (CISO) to oversee and implement the cybersecurity program and enforce policy.
    • The CISO must submit a written report annually to the Board of Directors and an annual compliance certification to the Department of Financial Services.
  • Data encryption: Organizations must enact controls, including encryption of sensitive data, depending on the outcome of a risk assessment.
  • Continuous monitoring: Covered entities must continuously monitor cybersecurity functionality OR conduct annual penetration testing and bi-annual assessments.
  • Enhanced multi-factor authentication: Covered institutions must employ multi-factor authentication for all inbound connections to the entity’s network.
  • Incident reporting: Covered entities must document and report all cybersecurity events.