March 1, 2018 is the next compliance deadline for the New York State Department of Financial Services' ("DFS") New York State Law 23 NYCRR 500 Cybersecurity Requirements for Financial Services Companies (“23 NYCRR 500”). Several key requirements, including a full-scale risk assessment and employee training, must be completed and implemented by this date.
By March 1, 2018, firms that meet the DFS 23 NYCRR 500 regulation's definition of "Covered Entity" must have the following cybersecurity measures in place:
- Risk Assessment – Requires your organization to complete a risk assessment to determine the level of protection required for cybersecurity and access to non-public information ("NPI").
- Multi-Factor Authentication – Requires that access to NPI be protected by multi-factor authentication if deemed reasonable by your risk assessment. Multi-factor authentication uses two or more authentication methods to confirm a user’s identification (for example, a combination of username/password plus a text message).
- CISO Report to Board of Directors – Requires your organization's named CISO to provide annual reports to your organization's Board of Directors or governing body.
- End User Training – Requires all end users in your organization to receive annual training on cybersecurity threats, vulnerabilities, and protections.
- Vulnerability Testing – Requires your organization to conduct ongoing vulnerability assessments to determine weaknesses in internal and external websites, servers, and endpoints.
- Penetration Testing – Requires periodic penetration testing be conducted against your organization’s systems and servers to determine and mitigate weaknesses and flaws.
The following ACA resources are available to help your firm navigate the complexities of the DFS 23 NYCRR 500 regulation:
- DFS 23 NYCRR 500 FAQs - Includes requirements as well as key compliance and certification dates.
- New NYS DFS Cybersecurity Regulations: What You Need to Know - On demand webcast
About the Author
Christopher Gebhardt is a Principal Consultant at ACA Aponix focused on IT, privacy, and cybersecurity transaction advisory, as well as tech and cyber risk strategies for ACA's private equity firm clients' portfolio companies. Prior to joining ACA, Chris served as Associate Director of Infrastructure Engineering for Jet.com and as Director of Information Technology for Air Medical Resource Group (AMRG). Chris’ prior experience includes several years as an IT Manager for several organizations and was considered an expert in paperless migrations. He has consulted with leading government organizations on IT projects to deliver strategic roadmaps. Chris earned his BS in Management from SUNY Empire State College. He is a Certified HIPAA Professional and received the Certified Security Compliance Specialist certification covering ISO27001, NIST800, FISMA, GLBA, and state-level information security and compliance regulations.