The New York Department for Financial Services’ (NYDFS) Cybersecurity Regulations (23 NYCRR 500) recently came into force and represent a new code of conduct, impacting all firms operating in the financial services industry within the State of New York, and is designed to protect the data of customers in the financial services sector.
The new Regulations require that on February 15, 2018 (and annually thereafter), the organization’s Board of Directors or a senior officer confirm (or certify) compliance, to the DFS with a “Certification of Compliance with New York State Department of Financial Services Cybersecurity Regulations.” Section 500.03 mandates that each organization shall implement and maintain a written policy or policies, approved by a Senior Officer or Board of Directors, setting the organizations policies and procedures for the protection of its information systems and non-public information stored on those information systems.
The cybersecurity policy is very prescriptive and needs to include strategies to address things like information security; data governance and classification; access controls and identify management; business continuity and disaster recovery & incident response planning and resources, as well as a plan to ensure customer data privacy.
Additionally, there is a mandate that each organization employ a Chief Information Security Officer (CISO), who will be responsible for overseeing and implementing the organization’s cybersecurity program and enforcing its cybersecurity policy.
The purpose of the regulation is clear and beneficial. It seeks to both define good security practices and ensure that the business owners are responsible for their implementation. In an age where cybersecurity is becoming an ever-greater issue, and the threats more prevalent, it’s critical that each member of an organization be accountable for the role they play in the security of the information they’re creating and sharing.