NYS DFS Transitional Period Ends Friday – Are You Ready?

The two-year transitional period of the NYS DFS cybersecurity regulation (23 NYCRR 500) comes to an end this Friday, March the 1st 2019 at which point all ‘covered entities’ must be compliant. So, who does this impact, what is required to be compliant, and how can IntelliGO help? I’ll detail some specific requirements of the regulation, a few of the exemptions from them, and how our MDR and vCISO services can help your business meet them.

Who does it impact?

Any entity that’s regulated by New York States’ banking, insurance, or financial services laws that hasn’t been issued an exemption. However, like GDPR, such an entity can be based outside of New York State and still be required to comply if that entity is doing business there. Note that having a parent or subsidiary who is compliant may not be enough, depending on how data and security systems are leveraged across these distinct business entities.

What are the exemptions?

Several criteria can exempt an entity from specific requirements of the regulation (not all of it). That said, in most cases, the entity is still required to have a cybersecurity policy and program, along with many other requirements (see the NY DFS website’s exemptions section for the full list). The exemptions mainly have to do with the size of the business in question, as measured by the number of employees, revenue, or total year-end assets. Some others have to do with the entity not controlling information systems at all (pretty rare in our increasingly data-driven society), or other particular cases.

What is the impact?

The regulation includes stipulations about your security measures, designed to protect the privacy of New Yorkers. Examples of these include a cybersecurity program and written policy based on a risk assessment; designation of a CISO (yes, (Read more...)

*** This is a Security Bloggers Network syndicated blog from IntelliGO MDR Blog authored by Adam Mansour. Read the original post at: