NYDFS Cybersecurity Compliance
NYDFS, or the New York State Department of Financial Services, requires financial service entities in New York to follow certain practices to protect clients. To be compliant general cyber security requirements must be met. Companies with under 10 employees, companies doing less than $5 million in gross annual revenue for three years, or companies who have less than $10 million in year-end assets (total) are exempt.
Those who must follow the regulations include insurance companies who do business in New York, mortgage and trust companies, state chartered banks, licensed lenders, private bankers, foreign banks licensed in New York and service contract providers.
Beginning in 2018, companies must file an annual certification for NYDFS compliance.
Threatcare offers solutions for compliance with many of the requirements set by the New York State Department of Financial Services.
Threatcare plays a role in addressing a) Cybersecurity Programs, b) Cybersecurity Policies, c) CISO, d) Audit Trails, e) Risk Assessments, f) Security Personnel and Intelligence, and g) Incident Response Plans, among other solutions.
(a) Section 500.02: “Establish a cybersecurity program based on periodic risk assessments and designed to identify and assess risks; protect information systems and nonpublic information; detect, respond to, and recover from cyber events; and fulfill all reporting obligations.”
(b) Section 500.03: “Create and maintain written policies and procedures for the protection of information systems and nonpublic information based on the company’s risk assessment.”
(c) Section 500.04: “Designate a CISO to oversee and implement the cybersecurity program. The CISO may be employed by the regulated entity, an affiliate, or a third-party service provider.”
(d) Section 500.06: “Maintain systems designed to recover material financial transactions following an event and audit trails to detect and respond to cybersecurity events.”
(e) Section 500.09: “Conduct bi-annual risk assessments that consider threats, particular risks to the entity, and an examination of existing controls in the context of identified risk.”
(f) Section 500.10: “Utilize qualified cybersecurity personnel or an ‘Affiliate or a Third-Party Service Provider’ sufficient to manage the organization’s risks and to perform or oversee the performance of the core cybersecurity functions.”
(g) Section 500.16: “Establish a written incident response plan for responding to and recovering from cybersecurity events.”
For further explanations, you can contact Threatcare for a walk through of our products solutions to NYDFS compliance.