NEW YORK DFS COMPLIANCE

The New York State Department of Financial Services Cybersecurity Requirements for Financial Services Companies (23 NYCRR 500) require covered organizations to annually certify their compliance with the regulations.

RedSeal’s cyber risk modeling platform can greatly aid your organization in efficiently achieving and documenting compliance with the NYS DFS Cybersecurity Regulations. RedSeal can quickly help you design, implement, and document compliant programs and policies.

Who is impacted?

Your organization is covered if it is an individual or non-governmental organization supervised by the New York State Department of Financial Services (NYS DFS) and relies on it for license, registration, charter, certification, permit, accreditation, or similar authorization.

Vendors and service providers for these organizations are also impacted because they will have to implement minimum cybersecurity practices to meet their client organizations’ policies and be subject to regular audits and assessments.

What’s in it?

To comply with the requirements, organizations need to establish and maintain:

• A cybersecurity program designed to protect the confidentiality, integrity, and availability of the organization’s information systems. The cybersecurity program needs to perform the following functions:
  • Identify and assess internal and external cybersecurity risks
  • Use defensive infrastructure configured according to specific policies and procedures
  • Detect cybersecurity events
  • Respond to cybersecurity events
  • Recover from cybersecurity events and restore normal operations and services
  • Fulfill obligations to report to the Board on the above

• A cybersecurity policy – a written policy approved by the organization’s Board of Directors setting forth the policies and procedures for the protection of its information systems and nonpublic information stored on those systems. The cybersecurity policy needs to address the following areas:
  • Information security
  • Data governance and classification
  • Asset inventory and device management
  • Access controls and identity management
  • Business continuity and disaster recovery planning and resources
  • Systems operations and availability concerns
  • Systems and network security
  • Systems and network monitoring
  • Systems and application development and quality assurance
  • Physical security and environmental controls
  • Customer data privacy
  • Vendor and third-party service provider management
  • Risk assessment
  • Incident response

• A chief information security officer (CISO) in charge of overseeing and implementing the cybersecurity program, enforcing cybersecurity policy and sustaining compliance with the NYS DFS Cybersecurity Regulations. Each year, the CISO must report the following information to the Board:
  • Confidentiality of nonpublic information and the integrity and security of information systems
  • Cybersecurity policies and procedures
  • Material cybersecurity risks
  • Overall effectiveness of the cybersecurity program
  • Material cybersecurity events over the past year

For specifics on how RedSeal’s network modeling and risk scoring platform can help achieve and demonstrate compliance with a large proportion of these regulations, download our datasheet, “NYS DFS Cybersecurity Regulations Compliance with RedSeal.”