In response to worries over data security, New York’s Department of Financial Services (NYDFS) enacted a set of cybersecurity regulations that is quickly becoming the standard for data security in the financial industry. The regulation, officially known as 23 NYCRR 500, went into effect in March 2017. Since then, the NYDFS regulations have grown in popularity and are now popping up in a number of other agency regulations.
The ‘Who’ And ‘What’ Of The NYDFS Regulations
The purpose of the NYDFS cybersecurity requirements is to ensure that all entities under the department’s jurisdiction adopt a cybersecurity management program that adheres to a set of minimum requirements as set forth in the regulation. It was agreed that meeting these minimum requirements would provide a baseline level of protection for the various enterprises and consumers affected by the regulation. To comply, a company must do the following:
• Designate a chief information security officer (CISO) who needs to report once a year to the board of directors on the integrity of the business’s information security, cybersecurity risks, and current cybersecurity policies and procedures.
• Keep records and establish an audit trail.
• Develop written guidelines that must include best practices, guidelines and standards for secure development processes, and procedures to ensure in-house applications adhere to your company’s cybersecurity guidelines.
• Hire security personnel and train them in your specific cybersecurity policy to ensure they know all about the current and changing cybersecurity landscape.
• Mandate the use of multifactor authentication so that it will be required to access certain programs, applications and email.
In addition to the requirements listed above, companies are expected to encrypt nonpublic information, administer cybersecurity training to their entire staff and dispose of data securely.