A significant deadline is now approaching under the New York State Department of Financial Services (“DFS”) cybersecurity regulation, 23 NYCRR 500. On March 1, 2019, the two-year transitional period under the NY DFS regulation expires and all remaining requirements become effective. The final requirement concerns supply chain cybersecurity.
The NY DFS cybersecurity framework requires the protection of the confidentiality, integrity and availability of information systems.
On December 21, 2018, the NY DFS issued a memorandum titled “DFS Cybersecurity Regulation — First Two Years and Next Steps.” The memo emphasizes how banks, insurance companies, and other financial institutions, with limited exception, must adopt all core requirements of the requisite cybersecurity program by March 1, 2019.
The core requirements of the NY DFS cybersecurity regulation include:
- maintenance of a written cybersecurity policy
- multi-factor authentication
- application security
- third-party information security policies and procedures
- data retention limitations
- penetration testing
- risk assessments
- appointment of a Chief Information Security Officer (CISO)
- establishment of governance processes to ensure senior attention to the matter
- training and monitoring for all authorized users
- effective access privileges
- maintenance of an audit trail system
- a written incident response plan
- adhering to breach reporting and certification requirements
Third-party Risk Management
The last, phased-in requirement is to implement a third-party risk management program. By March 1, 2019, covered entities must have a program in place to manage third-party risk.
This means that the entity will have to perform due diligence on its third-party vendors, technology firms, consultants, accountants, cloud service providers, and other outsourced or connected services — then continue to monitor these relationships.
Periodic, risk-based assessments of third-party vendors will be necessary.
Supply chain cybersecurity is imperative – and difficult to implement. Often the sheer number of third-parties involved make the process cumbersome. CISOs must have oversight of anything that touches their IT assets. The more connected third-parties, the more attack surfaces. Despite the challenges, NY DFS has given its regulated entities two years to build compliant third-party vendor management programs. That time is nearly up.
Additional February 15, 2019 Deadline
In addition to the significant March 1, 2019 deadline, on February 15, 2019, the annual Certification of Compliance (for the calendar year 2018) is due.
Sera-Brynn has been helping clients adopt and adhere to the NY DFS cybersecurity law since its inception. Risk assessments, penetration testing, fractional CISO services, and consulting are some of the ways we can help. Contact us to discuss in more depth.
The author, Colleen H. Johnson, is the senior cyber legal analyst for Sera-Brynn.