BIG I

Find out if you would pass the compliance with the New York Department of Financial Services (DFS) And Book your COMPLIMENTARY NO-OBLIGATION Cybersecurity Audit

At no cost or obligation, we’ll conduct a FREE Cybersecurity audit of your company’s overall network health to review and validate as many as 10 different data-loss and security loopholes.

We’ll also look for common places where security and backup get overlooked, such as mobile devices, laptops, tablets and home PCs.

This Audit can be conducted 100% remote with or without your current IT company or department knowing.

SCHEDULE A COMPLIMENTARY CYBERSECURITY AUDIT

 

SCHEDULE A COMPLIMENTARY CYBERSECURITY AUDIT

NYDFS Cybersecurity Requirements for Financial Institutions

In 2017 the New York State Department of Financial Services created the NYDFS cybersecurity regulation 23 NYCRR 500, which held financial institutions accountable for maintaining their cybersecurity program. The goal of the regulation is to ensure the safeguarding of sensitive customer data and to promote the integrity of the information technology systems of regulated entities.

As a filling entity you must comply with:

All regulated entities will need to develop a cybersecurity policy and implement an incident response plan that includes a notification system for data breaches and cybersecurity events within 72 hours.

NYDFS 23 NYCRR 500 Cybersecurity Requirements are incredibly confusing, and the fines for not being compliant can be debilitating.

The DFS 23 NYCRR 500 applies to all regulated entities meaning “any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the financial Services Law”, including:

  • State banks
  • Licensed Lenders
  • Private Banks
  • Foreign Banks operating in New York
  • Mortgage Companies
  • Insurance companies
  • Trust companies
  • Service providers

The cybersecurity regulations do not specifically detail any potential penalties or the impact of noncompliance. Instead, they “will be enforced by the superintendent [of NYDFS] pursuant to, and [are] not intended to limit, the superintendent’s authority under any applicable laws.”

Enforcement actions most likely would arise pursuant to the general authority of NYDFS under the New York Banking Law, which authorizes the superintendent of NYDFS to require a regulated entity to pay a penalty “for any violation of this chapter [or] any regulation promulgated thereunder” (which would include the cybersecurity regulations).

Penalties pursuant to the New York Banking Law are authorized up to (a) $2,500 per day during which a violation continues, (b) $15,000 per day in the event of any reckless or unsound practice or pattern of misconduct, or (c) $75,000 per day in the event of a knowing and willful violation.

Cybersecurity Regulation Exemptions

Section 19 of the DFS cybersecurity regulation contains several exemptions. Most exemptions are limited in nature and require Covered Entities to still comply with some provisions of the Regulation. If you apply for an exemption, you still have to (a) File a Cybersecurity Notice of Exemption, (b) Implement the required elements of the Cyber security program, and (c) Have in place Cyber security policies and response system.

500.19(a)(1) Fewer than 10 employees working in NYS

You are entitled to this limited exemption when your business has fewer than 10 employees, including independent contractors. You must still design and implement a Cybersecurity program, including submitting an annual Certification of Compliance.

500.19(a)(2) Less than $5M in gross annual revenue

You are entitled to this limited exemption when your business has less than $5,000,000 in gross annual revenue in each of the last 3 fiscal years. You must still design and implement a Cybersecurity program, including submitting an annual Certification of Compliance.

500.19(a)(3) Less than $10M in year-end total assets

You are entitled to this limited exemption when your business has less than $10,000,000 in year-end total assets. You must still design and implement a Cybersecurity program, including submitting an annual Certification of Compliance.

Proving Compliance with NYDFS

Utilizing risk assessments to benchmark and assess the posture of your cybersecurity program is essential. At the end of each year, regulated institutions need to complete an annual certification process in coordination with the board of directors to evaluate their cybersecurity program.

At the end of this process, the organization will need to provide a Certification of Compliance with NYDFS Cybersecurity Regulation.

Under 23 NYCRR 500, a program must coincide with best practices that support:

  • Information Security
  • Access Controls and identity management
  • Business continuity and disaster recovery planning
  • Security and Personnel Training
  • Security of information systems
  • Network Security
  • Periodic risk assessments
  • Internal reporting and auditing
  • Data Encryption and Protection
  • Threat Feed Detection
  • Incident Response Plans
  • Multi-Factor Authentication
  • Vendor/Third-Party Risk Assessments

FIND OUT IF YOU ARE IN COMPLIANCE IN UNDER 10 MINUTES

 

FIND OUT IF YOU ARE IN COMPLIANCE IN UNDER 10 MINUTES