onShore Security

Because Security Gives Us Freedom.

  • Managed Security Services
    • Panoptic Cyberdefense
      • Panoptic Cyberdefense Overview
        • Cybersecurity in Banking
      • Managed Detection and Response
      • MDR + NDR
      • Security Orchestration
      • The Panoptic Approach
    • Cybersecurity Leadership
      • Cybersecurity Leadership
      • Continuous Vulnerability Management
      • Security Assessments
        • Security Assessments
        • Security Maturity Assessment
    • Managed Security Solutions
      • Managed Security Solutions
      • Panoptic Sensor
      • Managed Firewall
  • Media
    • Blog Posts
    • News
    • Videos
    • Case Studies
    • onSecurity Podcast
  • About Us
    • Why We Win
    • Our Mission
    • Leadership Team
    • onShore Security Jobs
    • Press
  • Contact

The Deadline for NYDFS Cybersecurity Regulations Looms: Are You Ready?

September 28, 2018 By Josh Eklow

NYDFS Cyber SecurityOn, March 1, 2019, all banks, other regulated entities and persons regulated and licensed through the Department of Financial Services (DFS) must be in compliance with the requirements of 23 NYCRR 500.11.

If you do business in New York State—and who doesn’t?—these NYDFS cybersecurity requirements apply to you; your bank must be in compliance.

What Led to NYCRR 500?

The text of the regulation describes the urgency of an “ever-growing threat posed to information and financial systems by nation-states, terrorist organizations and independent criminal actors.”

Cybercriminals, the text warns, have recently “sought to exploit technological vulnerabilities to gain access to sensitive electronic data” and pose a risk of “significant financial losses for DFS regulated entities as well as for New York consumers whose private information may be revealed and/or stolen for illicit purposes. The financial services industry is a significant target of cybersecurity threats.”

As a result, the regulation continues, “It is critical for all regulated institutions that have not yet done so to move swiftly and urgently to adopt a cybersecurity program and for all regulated entities to be subject to minimum standards with respect to their programs. The number of cyber events has been steadily increasing and estimates of potential risk to our financial services industry are stark. Adoption of the program outlined in these regulations is a priority for New York State.”

NYDFS Requirements & A Surprising Lack of Progress by Banks

There are five overarching requirements that banks must meet to establish NYDFS compliance. Surprisingly few, however, have done so – similar to the lack of preparedness for GDPR:

  1. Cybersecurity Risk Assessment: identification and assessment of internal and external cybersecurity risks that may threaten the security or integrity of non-public information stored on your network
  2. Cybersecurity Policy: implementation and maintenance of a written policy based on the cybersecurity assessment
  3. Named CISO: nomination of a chief information security officer (CISO); if you do not employ one, you must hire one or engage a third-party managed security provider to serve in this capacity
  4. Penetration Testing & Vulnerability Assessments: implementation of annual, network penetration testing and bi-annual vulnerability assessments
  5. Annual Attestation: annual submission of certification of compliance to the NYDFS superintendent

Specific NYDFS cybersecurity requirements cover a range of issues:

  • Audit trails
  • Access privileges
  • Application security (e.g. mobile apps and online banking)
  • Confidentiality
  • Cybersecurity personnel and intelligence
  • Encryption of non-public information
  • Exemptions
  • Incident response planning
  • Limitations on data retention
  • Multi-factor authentication
  • Superintendent notices
  • Third-party service provider security policy
  • Training and monitoring

The Fastest Way to Comply with NYDFS Cybersecurity Requirements

The place to start is with an initial Security Maturity Assessment.

Contact us today to schedule your assessment. We’ll follow up with a plan for addressing the gaps and taking the steps required to reach compliance before the deadline.

Contact us to learn more about managed security services for banks

Filed Under: Cyber Security, Cybersecurity Chicago

312-850-5200

216 W. Jackson Blvd.
Chicago, IL 60606

info@onShore.com

  • Email
  • Facebook
  • LinkedIn
  • Twitter
  • YouTube
  • Home
  • Managed Security Services
  • Jobs