EAlert: Cybersecurity Rule to Be Effective September 2017

The DFS 23 NYCRR 500 requires “Covered Entities” which generally includes all companies, firms, or persons governed by DFS, to comply with this regulation and provide a certification of compliance by February 28, 2018.

The compliance is, in broad strokes, with operational activities that DFS believes will reduce cyber-crime and increase cybersecurity.

Some of the compliance areas and features are as follows:

  • Have a cybersecurity policy and program in place. They should be broad and have the ability to identify and assess threats, address the identified threats, and have certain minimal provisions required by DFS.
  • Appoint a Chief Information Security Officer (CISO) with internal reporting responsibilities, namely to the Board or audit committee. The CISO is the main contact person for all the DFS cyber-security requirements.
  • Document all activities that are measured as part of the cybersecurity program, and have an audit trail. This is a built-in software feature and a minimal required feature, regardless of risk assessment.
  • Customize and monitor Access Rights (authorization). This is another minimally required feature.
  • Perform risk assessment to identify and address threats.
  • Have qualified personnel, with demonstrable qualifications for the cybersecurity management functions.
  • Manage third-party vendors and providers, and the cybersecurity risks that they pose. This is a minimally required feature, regardless of any risk assessment.
  • Multi-factor authentication – this piece got a lot of press, but at the end DFS was willing to make this feature subject to the risk assessment, and other mitigating controls.
  • Data retention policies
  • Encryption of Non Public Information (NPI). There are various ways data resides in systems, and all these ways should be considered when encryption is applied. This required feature can be subject to mitigating controls.
  • Incident response plan. This is another minimally required feature, regardless of any risk assessment findings.
  • Notice to DFS, within 72 hours of an incident.For a full explanation of requirements, click here. You can also contact Yigal Rechtman, Forensic Principal of Grassi & Co., at yrechtman@grassicpas.com.