Home » Cybersecurity » Governance, Risk & Compliance » The Next Milestone for the NYS DFS Cybersecurity Regulation is Approaching

The Next Milestone for the NYS DFS Cybersecurity Regulation is Approaching

The landmark NYS DFS cybersecurity regulation that took effect in New York State in March 2017 is approaching its third of four milestones. This was the first regulation of its kind that included prescriptive direction for the protection of personally identifiable information handled by all financial institutions that conduct business in the State.

The previous milestones included Policy creation, such as having a cybersecurity program, and an incident response plan. Within the second milestone specifically, there were some more technical items, including multi-factor authentication for remote access as well as penetration testing.

The next set of milestones are set to take effect on September 1, and they are amongst the toughest from a technical standpoint. They include data encryption (in transit and at rest), five-year audit trails and limitations on data security.

Take a moment to digest those objectives. They are not easily accomplished tasks, and many companies that have not been previously required to achieve these levels of compliance are understandably struggling to meet this deadline. The biggest problem with the requirements are that they are not very specific, particularly the audit trail requirement.

Diving into the NYS DFS Cybersecurity Regulation

The regulation specifies:

(a) Each Covered Entity shall securely maintain systems that, to the extent applicable and based on its Risk Assessment:

(1) are designed to reconstruct material financial transactions sufficient to support normal operations and obligations of the Covered Entity; and

(2) include audit trails designed to detect and respond to Cybersecurity Events that have a reasonable likelihood of materially harming any material part of the normal operations of the Covered Entity.

(b) Each Covered Entity shall maintain records required by section 500.06(a)(1) of this Part for not fewer than five years and shall maintain records required by section 500.06(a)(2) of this Part for not (Read more...)