Sales: info@core82inc.com | (212) 475-4980         Support: support@core82inc.com | (646) 794-8438

New York State Department of Financial Services (NYDFS) Cybersecurity Regulation

Do you need step-by-step guidance to become compliant with New York State Department of Financial Services (NYDFS) Cybersecurity Regulation, or are you looking to outsource certain components of your Cybersecurity Program? Contact us for a FREE consultation to see how we can help: NYcyber@core82inc.com or 646-794-8430

About Core82

We are a full service Information Technology and Cybersecurity firm located in Manhattan, New York City. Our highly specialized staff come from elite military unit that handles military communications. We are a group of senior-level security engineers and Fortune 500 compliance professionals.

We have been delivering technology, cybersecurity and compliance solutions for global financial organizations, publicly traded and private entities, power plants and military operations for 15+ years, including hundreds of client engagements.

The team at Core82 has prestigious industry certification including but not limited to: Certified Information Systems Security Professional (CISSP), Cisco Certified Internetwork Expert (CCIE), Cisco Certified Network Professional (CCNP), Cisco Certified Design Professional (CCDP).

Core82 is proud to be compliant with the strict requirements for Service Organization Control (SOC) reporting framework, developed and enforced by American Institute of Certified Public Accountants (AICPA). The SOC certification demonstrates that our internal and external procedures follow a strict framework that ensures the security, integrity and confidentiality of our clients’ data. This certification satisfies NYDFS paragraph 500.11 which requires financial companies to perform a due diligence process to ensure that their third-party service providers follow strict cybersecurity practices. It is notable that while IT industry is unregulated and SOC compliance is completely voluntary for IT firms, we choose to hold ourselves to the highest standards.

See more on our About Us page.

Core82 Service Offering

We make it our business to understand your business and to keep our advice relevant to your needs. We will help you to set up proper security measures as part of the comprehensive Cybersecurity Program as required by the regulation, and continuously keep the program up to date to comply with the NY DFS cybersecurity rules.

The goal of Core82 in the context of DFS requirements is to assist the companies to become compliant. We will make the process as simple and straight-forward as possible as we lead you through it. There is a finite set of technologies and actions that cover fundamental components of cybersecurity compliance, and we make it our mission to inform and guide you through the process as we enable you to make educated decisions regarding your company’s technology.

Through the in-depth understanding of the NY State cybersecurity requirements and years of experience dealing with cybersecurity issues, Core82 has developed a checklist of items that meet all compliance requirements, and more importantly, positions our clients to develop and maintain a robust security defense.

We begin by evaluating your current technologies, policies and procedures. After the review, we make actionable recommendations for areas in need of improvement. We will compose a remediation plan and timeline that takes your budget into consideration. After we work with you to remediate the areas in question, the compliance program enters an “operational mode” to maintain the secure and compliant posture.

Alternatively, you could outsource specific components to us (such as writing policies and procedures, monitoring your network, using us as your designated Chief Information Security Officer, etc.) to free up your team’s valuable time.

Here are some of the expected items your environment should have (full list will depend on your company’s size and technologies that you use):

  • Firewall
  • New generation of anti-virus, anti-spyware, anti-malware tools
  • Proactive monitoring and management of your network
  • Automatic updates of system and security components
  • Data backup and recovery
  • Protection of sensitive data
  • IT security awareness training for your employees
  • A set of written policies and procedures that address cybersecurity measures
  • Data leakage prevention

Please refer to the Overview of Regulatory Requirements table below for some examples of what Core82 can do for your firm to address each component of the regulation.

Regulation Background

On February 16th, 2017, Governor Cuomo announced Cybersecurity Regulation aimed at protecting consumers and financial institutions from cyber attacks.

The regulation went into effect March 1st 2017. First Certification of Compliance is due on February 15, 2018.

This regulation is the result of New York State’s Department of Financial Services (DFS) increased concern over cybersecurity health of the financial firms that DFS oversees. Recent increase of cybercrimes underscores the need to address potential cyber weaknesses in the industry.

The regulation requires financial services institutions regulated by the Department of Financial Services to establish and maintain a cybersecurity program designed to ensure their own safety and soundness, and protect their customers. DFS urges all regulated institutions to move swiftly and urgently.

In the center of the regulation is protecting business’ and consumer information, referred to as the “Non-public Information” (“NPI”) which refers to all electronic information that is not publicly available information. Examples of NPI:

  1. Firm’s own business-related information, leaking of which to unauthorized persons would cause a material adverse impact to the business, its operations or security
  2.  Consumer personal identification information such as social security number, drivers’ license number or non-driver identification card number, account number, credit or debit card number, any security code, access code or password that would permit access to an individual’s financial account, or biometric records
  3.  Consumer health information.

Who is Subject to Regulation

Majority of firms overseen by DFS are subject to this regulation, specifically: Any person or firm operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.

 Exemption Criteria

Partial exemption: The following types of firms will be exempt from some but not all requirements:

  1. Small firms (fewer than 10 employees including contractors, less than $5M in gross annual revenue, and less than $10M in year-end total assets)
  2. Firms that do not directly or indirectly operate, maintain, utilize or control any Information Systems, and that do not, and are not required to, directly or indirectly control, own, access, generate, receive or possess Non-public Information (NPI)
  3. If you believe that your firm qualifies for an exemption, you must file a Notice of Exemption on NYDFS web portal (https://myportal.dfs.ny.gov/web/cybersecurity) by October 30th, 2017. You will still be required to implement a limited cybersecurity program.

Full exemption: The following types of firms are exempt:

  1. Persons subject to Insurance Law section 1110 (charitable, religious, missionary, educational or philanthropic);
  2. Persons subject to Insurance Law section 5904 (a risk retention group doing business in NY State that is not chartered and licensed as a property/casualty insurer in NY State);
  3. Any accredited reinsurer or certified reinsurer that has been accredited or certified pursuant to 11 NYCRR 125.

 Cybersecurity Regulation Implementation Timeline

1. Regulation went into effect on March 1st, 2017.

2. Firms had 180 days (six months) – until August 28th, 2017 – to implement most requirements such as:

  • Cybersecurity program, policies and procedures
  • Appointment of CISO
  • Review and limit access privileges
  • Engage sufficient cybersecurity personnel
  • Incidence response plan
  • Process for DFS notification of any Cybersecurity Events

3. First Certification of Compliance is due on February 15th, 2018.

4. Firms have one year (until March 1st, 2018) to implement the following requirements:

  • CISO’s first report on the firm’s cybersecurity program to the firm’s board of directors or senior management
  • Penetration testing and vulnerability assessment
  • Risk assessment
  • Multi-factor authentication
  • Cybersecurity training for all personnel

5. Firms have 18 months (until September 3rd, 2018) to implement the following requirements:

  • Audit Trail
  • Software development security protocols
  • Limits on data retention
  • Monitor the activity of authorized users and detect unauthorized access
  • Encryption

6. Firms have 2 years (until March 1st, 2019) to ensure compliance of third party service providers

Overview of Regulatory Requirements – summarized in table below

The regulation sets certain minimum standards, and expects firms to keep pace with technological advances. The new regulation provides important guidelines designed to prevent cyber breaches. We have summarized the regulation requirements for your convenience in the table on the following pages, along with suggestions how Core82 can help.

How to read the table below:

First, identify whether you qualify for exemptions.

  1. If you fall under the definition of a “small firm” (fewer than 10 employees including contractors, less than $5M in gross annual revenue, and less than $10M in year-end total assets), and you store or transmit sensitive non-public information (NPI) described above, your responsibility will be to comply with the rows that are marked with a “yes” in the third column, called “Applicable to small firms that handle NPI”
  2. If you don’t use computers to conduct your business (for example, you only use a phone), and therefore don’t store or transmit sensitive non-public information over the computer systems, then your responsibility will be to comply with the rows that are marked with a “yes” in the fourth column, called “Applicable to firms that don’t handle NPI”
  3. If you qualify for a full exemption (for example, if you are a charitable, religious, missionary, educational or philanthropic company), you don’t have to comply with this regulation.

Please note: If you qualify for any exemptions, don’t forget to notify the DFS about your exemption status. You can do so via their online portal: https://myportal.dfs.ny.gov/web/cybersecurity. You will need to create a new account in order to log in.

We have grouped and sorted regulatory requirements here for your convenience based on their applicability and similarities:

Regulatory reference # Regulatory requirement Applicable to small firms that handle NPI? Applicable to firms that don’t handle NPI? Core82’s proposed solution
500.09 Periodic Risk Assessment: Each firm shall conduct a periodic Risk Assessments to address any changes in the firm’s Information Systems, Nonpublic Information or business operations. The firm should periodically revise its cyber controls to incorporate newest technological developments that enable adequate response to evolving threats. yes yes We recognize that your business operations may change over time. We will work with you to prevent and remediate risk for potential exposure of NPI that might arise from changes in your workflow or systems.

We will mutually agree on a reasonable frequency of the reviews; annual is the minimum.

500.11 Third Party Service Provider Security Policy: Firms must ensure a due diligence process to periodically evaluate the adequacy of cybersecurity practices of its third parties that have access to the firm’s Information Systems and/or its Nonpublic Information, based on the risk that they present. yes yes Core82 is proud to be compliant with the strict requirements for Service Organization Control (SOC) reporting framework, developed and enforced by American Institute of Certified Public Accountants (AICPA). It is notable that while IT industry is unregulated and SOC compliance is completely voluntary for IT firms, we choose to hold ourselves to the highest standards. The SOC certification requires companies to establish and follow strict information security policies and procedures encompassing the security, availability, processing, integrity and confidentiality of their clients’ data.
500.17(a) Notification of Cyber Events to DFS: Firms must notify DFS no later than 72 hours from a determination that a Cybersecurity Event has occurred

Cybersecurity Event means any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an Information System or information stored on such Information System.

yes yes The goal of Core82 is to put proper security measures in place, including basic cybersecurity training for your employees, in order to reduce the likelihood of potential cyber events. We have partnered with leading technology providers and are able to offer our clients top security technology packages that are used and trusted by the Fortune 500 companies.

Core82 provides regular monitoring of our clients’ security systems and follows protocol to identify suspicious events and notify our clients. We will work with you to create a framework to determine the types of breaches that would need to be reported to DFS. If a breach needs to be reported to DFS, we will supply you with supporting evidence. We will also work with you to recover from any damage that the cyber event might cause to your systems and data.

500.17(b) Annual Certification: Before February 15th 2018 and every year thereafter, each firm shall file its compliance certification through the DFS web portal. All records, schedules and data supporting this certification shall be kept by the firm for five years as evidence for examination by DFS. yes yes Firms should use the DFS web portal to certify their compliance with cyber requirements.

We encourage our clients to use the annual certification process as a good opportunity to conduct the required periodic review mentioned in #500.09 above.

As part of the review, Core82 will produce a written statement of our opinion of your technology system’s cyber security readiness, as well as evidence of compliance which will be archived for five years as per the compliance standard.

500.17(c) Documentation of deficiencies and remediation plans: The firm shall document the existing deficiencies and remediation efforts planned and underway to address any areas, systems or processes that require material improvement. Such documentation must be available for inspection by DFS. yes yes As part of the initial readiness assessment that Core82 will conduct in the beginning of the engagement, we will evaluate your current technologies and related processes. We will then propose a remediation plan, recommend a reasonable budget and an implementation timeline.

As we make progress on necessary remediation, we will update all relevant documentation regarding the existing deficiencies and remediation efforts planned and underway.

Additionally, the documentation will also be updated as part of the required periodic reviews.

It is important to have proper documentation ready for inspection by DFS on a short notice.

500.02, 500.03, 500.08, 500.13, 500.16 Program, policies and procedures: Firms are expected to establish written cybersecurity policies and procedures to protect their Information Systems (including in-house developed applications) and sensitive non-public data. The program’s purpose is to enable the firms to:

• Identify cybersecurity risks

• Establish written incident response plans

• Put measures in place to protect against unauthorized access to sensitive information

• Detect, respond and recover from cybersecurity events

yes no Core82 has ready-to-go templates for policies and procedures that can be customized to fit your company’s risk-based requirements.
500.07 Access Privileges: Firms shall limit user access privileges to Information Systems that provide access to Nonpublic Information and shall periodically review such access privileges. yes no We will work with you to review who has access to which systems and information, and whether certain access to sensitive data can be reasonably restricted to only those who need that information to do their job.

Access privileges review will be part of the above Periodic Risk Assessment.

500.04, 500.10 Chief Information Security Officer (CISO): Each firm must designate a qualified individual to serve as the CISO, who is responsible for implementing, overseeing and enforcing the firm’s cybersecurity program and policy. The CISO may be employed by the firm or by a third party service provider

Cybersecurity Personnel: Firms must ensure that the program is staffed by qualified Cybersecurity personnel that is up to date on evolving threats and technologies

no no Core82 can act as your firm’s CISO. We have been delivering technology, cybersecurity and compliance solutions for global financial organizations, publicly traded and private entities, power plants and military operations for 15+ years, including hundreds of client engagements.

The team at Core82 has industry certification including but not limited to: Certified Information Systems Security Professional (CISSP), Cisco Certified Internetwork Expert (CCIE), Cisco Certified Network Professional (CCNP), Cisco Certified Design Professional (CCDP).

In addition, all members of Core82 are required to pass criminal background checks.

500.05 Penetration Testing and Vulnerability Assessments: DFS recommends that firms implement continuous monitoring and testing. Absent continuous monitoring, at the minimum, firms must conduct:

a)      annual penetration testing of the Information Systems;

b)      bi-annual vulnerability assessments such as systematic scans or reviews of Information Systems

no no Penetration testing refers to examining a computer system to find potential vulnerabilities that a malicious cyber attacker could exploit.

As part of the compliance program management, Core82 conducts periodic penetration testing and vulnerability assessments.

The testing and assessments are executed with the use of technologies as well as human interaction.

500.06 Audit Trail: Firms shall maintain records of material financial transactions for at least five years, and audit trails of Cybersecurity Events for at least three years no no As specified by the compliance requirement, financial firms must keep records of material financial transactions for at least five years. The systems used by the firms should be reviewed to ensure that certain information (deemed “material”) should not be deleted or disposed of for at least five years.

Additionally, scheduling and purging of data backups should be reviewed to ensure historical data availability.

Regarding audit trails of Cybersecurity Events, Core82 provides our clients with a Security Information and Event Management (SIEM) system that aggregates events from infrastructure components (servers, firewalls, etc.) and retains two geographically redundant copies of the historical events for the duration of the required three years in accord with the compliance.

500.12 Multi-Factor Authentication: Based on its Risk Assessment, the firm shall use effective controls such as Multi-Factor Authentication to protect against unauthorized access. no no Multi-factor authentication is a method of confirming user’s identity by requiring the user to enter supplementary information (e.g. a unique temporary pin code randomly generated in an authentication app or on a secure token) in addition to their user name and password during authentication. This process would help to prevent unauthorized access.

Core82 provides our clients with multi-factor authentication including one time passwords and biometrics to gain access to sensitive data.

500.14(a) Monitoring: Firms must implement controls designed to monitor the activity of Authorized Users and detect unauthorized access or use of, or tampering with, Nonpublic Information by such Authorized Users

 

no no Core82 provides our clients with logging, data leakage prevention, and monitoring systems that detect and report unauthorized access.
500.14(b) Training: Firms must provide regular cybersecurity awareness training for all personnel no no Core82 provides our clients with fundamental cybersecurity awareness training to help mitigate the risk of a socially engineered attack or the unintended consequences of opening a malicious e-mail attachment.
500.15 Encryption of Nonpublic Information: Based on its Risk Assessment, the firm shall implement controls such as encryption to protect Nonpublic Information held or transmitted over external networks. If encryption is not feasible, the firm may instead use other controls which are reviewed and approved by the firm’s CISO on at least an annual basis. no no Core82 provides our clients with the highest levels of encryption available in commercial use to secure the information.

 

Do you need step-by-step guidance to become compliant with New York State Department of Financial Services (NYDFS) Cybersecurity Regulation, or are you looking to outsource certain components of your Cybersecurity Program? Contact us for a FREE consultation to see how we can help: NYcyber@core82inc.com or 646-794-8430