Oxford Solutions’ expert team of security industry veterans – with NSA, Military, and Intelligence backgrounds – are at your disposal to give visibility and intelligent insight into the Department of Financial Services (DFS) Cybersecurity Regulations and Requirements for Financial Services Companies.

HOW TO GET COMPLIANT

DFS Regulations

As of March 1, 2017, 23 NYCRR 500 – Cybersecurity Requirements for Financial Services Companies went into effect. This regulation promotes the protection of information technology systems and the customer information of regulated entities. It requires each company to assess its specific risk profile and design a program that addresses its risks to meet specified cybersecurity requirements.

Organizations must file a Notice of Exemption and receive confirmation from NYS DFS no later September 27, 2017.

Who is applicable?

Covered Entity – Any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the banking law, the insurance law or the financial services law.

Limited Exemption – Any covered entity with the following shall be exempt from parts of the legislation:

  • Fewer than 10 employees including any independent contractors, OR
  • Less than $5M in gross annual revenue in NYS each of the last 3 fiscal years, OR
  • Less than $10M in year-end total assets

How Oxford Solutions helps

Oxford Solutions provides a Cybersecurity Assessment in context of the DFS Regulations and Requirements.  Using the NIST Framework, we work with your organization to map your programs to the requirements, deliver recommendations, and implement a customized plan to adopt a sound cybersecurity program that meets the DFS requirements and deadlines.

NIST Cybersecurity Framework

NYST_GraphicPaths

Requirements for Limited Exempt Entities

Section: 500.02

Maintain a cybersecurity program designed to protect the confidentiality, integrity and availability of your Information Systems (IS).

  1. Identify internal/external risks
  2. Use defensive infrastructure to protect the IS and NPI stored

Required Compliance: 9/1/2017

Section: 500.03

Develop and maintain written policies to protect IS, to include: information security, governance, inventories, access controls, BCP/DR, system operations, etc.

Required Compliance: 9/1/2017

Section: 500.07

Limit user access privileges to IS and NPI; periodically review such access privileges.

Required Compliance: 9/1/2017

Section: 500.09

Conduct periodic risk assessments to: evaluate cybersecurity controls, identify new cybersecurity risks, assess adequacy of controls to protect NPI, and identify how these risks will be mitigated or accepted.

Required Compliance: 3/1/2018

Section: 500.11

Develop, maintain, implement written policies protecting data that is held or can be accessed by party providers.

Required Compliance: 3/1/2019

Section: 500.13

Implement policies / procedures for secure disposal of NPI on a periodic basis.

Required Compliance: 9/1/2018

Section: 500.17

Annually certify to DFS of compliance with this regulation.  Develop written remedial plans for areas not in compliance and be prepared to present to DFS if required.  Finally, the DFS must be notified of any cybersecurity event (unauthorized access to NPI or the IS) within 72 hours of discovery.

Required Compliance:

Notify of Cyber Events: 3/1/2017

Certify: 2/15/2018

Additional Requirements for Non-Exempt Entities

Section: 500.02

Maintain a cybersecurity program designed to protect the confidentiality, integrity and availability of your Information Systems (IS).

  1. Identify internal/external risks
  2. Use defensive infrastructure to protect the IS and NPI stored

Required Compliance: 9/1/2017

Section: 500.03

Develop and maintain written policies to protect IS, to include: information security, governance, inventories, access controls, BCP/DR, system operations, etc.

Required Compliance: 9/1/2017

Section: 500.04

Designate a CISO to govern the entity’s cybersecurity program.  The CISO is to provide written updates to a board of directors or equivalent governing body at least annually.

Required Compliance: 3/1/2018

Section: 500.05

Conduct annual Penetrating Testing and bi-annual vulnerability assessments of the entity’s IS.

Required Compliance: 3/1/2018

Section: 500.06

Reconstruct financial transactions and retain logs for 5 years, and collect audit logs to detect/respond to Cybersecurity Events and retain for 3 years.

Required Compliance: 9/1/2018

Section: 500.07

Limit user access privileges to IS and NPI; periodically review such access privileges.

Required Compliance: 9/1/2017

Section: 500.08

Include written procedures, guidelines and standards to ensure a secure development practice for in-house developed applications.  All documents must be annually reviewed and approved by the CISO or their qualified designee.

Required Compliance: 9/1/2018

Section: 500.09

Conduct periodic risk assessments to: evaluate cybersecurity controls, identify new cybersecurity risks, assess adequacy of controls to protect NPI, and identify how these risks will be mitigated or accepted.

Required Compliance: 3/1/2018

Section: 500.10

Utilize qualified cybersecurity personnel, provide them with updates & training to identify evolving risks, and verify these personnel take steps to remain current.

Required Compliance: 9/1/2017

Section: 500.11

Develop, maintain, implement written policies protecting data that is held or can be accessed by 3rd party providers.

Required Compliance: 3/1/2019

Section: 500.12

Utilize MFA for external access to an internal system and consider implementing MFA for accounts with access to NPI.

Required Compliance: 9/1/2018

Section: 500.13

Implement policies / procedures for secure disposal of NPI on a periodic basis.

Required Compliance: 9/1/2018

Section: 500.14

Implement continuous monitoring to detect unauthorized access to NPI, and provide regular cybersecurity awareness training for all personnel who have access to the company IS and NPI.

Monitoring: 9/1/2018

Training: 3/1/2018

Section: 500.15

Based on risk assessments, implement encryption on NPI (in transit or at rest).  Controls must be reviewed by the CISO at least annually.

Required Compliance: 9/1/18

Get Compliant Today
Meet DFS Requirements and Regulations