1 / 26

DFS letter has you asking

Learn about the requirements and implications of 23 NYCRR 500, the cybersecurity regulation in New York, and how it affects businesses domiciled in other states. Failure to comply may indicate a cybersecurity program deficiency. Submit the Certification of Compliance via the DFS cybersecurity portal.

vanover
Download Presentation

DFS letter has you asking

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. DFS letter has you asking What in the world is 23 NYCRR 500?

  2. Cyber Security? What in the world is 23 NYCRR 500?

  3. https://www.pia.org/IRC/privacy/files/nutshellupdate9.27.17.pdfhttps://www.pia.org/IRC/privacy/files/nutshellupdate9.27.17.pdf

  4. So your business is domiciled in New Jersey or some other state?

  5. If you do 99.9% of your business outside of NY and write one case situs in NY… ---YOU MUST COMPLY--- So your business is domiciled in New Jersey or some other state?

  6. TO:      Covered Entities Who Did Not File Certification       FROM: Superintendent Maria T. Vullo DATE:    March 2, 2018 RE:         Failure to File Certification of Compliance As previously advised, all regulated entities and licensed persons of the Department of Financial Services (DFS) were required to file a cybersecurity regulation Certification of Compliance under 23 NYCRR 500 by February 15, 2018.  Our records indicate that to date you have not made such filings under the regulation.[1] The Certification of Compliance is to cover the period as of December 31, 2017 for all requirements of the cybersecurity regulation in force by that date.  All Covered Entities that have failed to submit the Certification and that are in compliance with the regulation should do so via the DFS cybersecurity portal as soon as possible.  The DFS Certification of Compliance is a critical governance pillar for the cybersecurity program of DFS regulated entities, and DFS takes compliance with the regulation seriously.  The Department will consider a failure to submit a Certification of Compliance as an indicator that the cybersecurity program of the Covered Entity has a substantive deficiency. The Certificate of Compliance is required even if you filed for a limited exemption under 23 NYCRR Part 500.19.  These exemptions have been tailored to address particular circumstances and include requirements that the Department believes are necessary for these exempted entities.   Covered Entities are required to file a Certificate of Compliance to confirm that they are in compliance with those provisions of the regulation that apply to that Covered Entity. York’s financial services industries strengthen protections from cybersecurity attacks and protect consumers’ private data and our financial markets.  As DFS continues to implement its cybersecurity regulation, we also will take additional steps to protect the financial services industries from cyber attacks, including through our examinations. The DFS web portal also contains a copy of the cybersecurity regulation and a set of frequently asked questions. [1] If you submitted a Certification and received this notification, then please send an email to cyberregcomments@dfs.ny.gov with the full name of the licensed entity, license number, and confirmation number from your filing and DFS will look into your inquiry.  [1] If you submitted a Certification and received this notification, then please send an email to cyberregcomments@dfs.ny.gov with the full name of the licensed entity, license number, and confirmation number from your filing and DFS will look into your inquiry. The goal of DFS’s cybersecurity regulation is for all regulated institutions to have a robust, risk-based program so that New

  7. EFFECTIVE DATES

  8. EFFECTIVE DATES Each Covered Entity shall maintain a cybersecurity program designed to protect the confidentiality, integrity and availability of the Covered Entity’s Information Systems. The cybersecurity program shall be based on the Covered Entity’s Risk Assessment and designed to perform core cybersecurity functions

  9. EFFECTIVE DATES Each Covered Entity shall maintain a cybersecurity program designed to protect the confidentiality, integrity and availability of the Covered Entity’s Information Systems. The cybersecurity program shall be based on the Covered Entity’s Risk Assessment and designed to perform core cybersecurity functions

  10. EFFECTIVE DATES Each Covered Entity shall implement and maintain a written policy or policies, approved by a Senior Officer or the Covered Entity’s board of directors (or an appropriate committee thereof) or equivalent governing body, setting forth the Covered Entity’s policies and procedures for the protection of its Information Systems and Nonpublic Information stored on those Information Systems. The cybersecurity policy shall be based on the Covered Entity’s Risk Assessment

  11. EFFECTIVE DATES

  12. EFFECTIVE DATES Based on the Covered Entity’s Risk Assessment each Covered Entity shall limit user access privileges to Information Systems that provide access to Nonpublic Information and shall periodically review such access privileges.

  13. EFFECTIVE DATES Each Covered Entity shall conduct a periodic Risk Assessment of the Covered Entity’s Information Systems sufficient to inform the design of the cybersecurity program as required by this Part. Such Risk Assessment shall be updated as reasonably necessary to address changes to the Covered Entity’s Information Systems, Nonpublic Information or business operations.

  14. EFFECTIVE DATES Each Covered Entity shall implement written policies and procedures designed to ensure the security of Information Systems and Nonpublic Information that are accessible to, or held by, Third Party Service Providers.

  15. EFFECTIVE DATES As part of its cybersecurity program, each Covered Entity shall include policies and procedures for the secure disposal on a periodic basis of any Nonpublic Information identified in section 500.01(g)(2)-(3) of this Part that is no longer necessary for business operations or for other legitimate business purposes of the Covered Entity, except where such information is otherwise required to be retained by law or regulation, or where targeted disposal is not reasonably feasible due to the manner in which the information is maintained.

  16. EFFECTIVE DATES Notice to Superintendent

  17. EFFECTIVE DATES Section 500.17 Notices to Superintendent. (a) Notice of Cybersecurity Event. Each Covered Entity shall notify the superintendent as promptly as possible but in no event later than 72 hours from a determination that a Cybersecurity Event has occurred that is either of the following: (1) Cybersecurity Events impacting the Covered Entity of which notice is required to be provided to any government body, self-regulatory agency or any other supervisory body; or (2) Cybersecurity Events that have a reasonable likelihood of materially harming any material part of the normal operation(s) of the Covered Entity. (b) Annually each Covered Entity shall submit to the superintendent a written statement covering the prior calendar year. This statement shall be submitted by February 15 in such form set forth as Appendix A, certifying that the Covered Entity is in compliance with the requirements set forth in this Part. Each Covered Entity shall maintain for examination by the Department all records, schedules and data supporting this certificate for a period of five years. To the extent a Covered Entity has identified areas, systems or processes that require material improvement, updating or redesign, the Covered Entity shall document the identification and the remedial efforts planned and underway to address such areas, systems or processes. Such documentation must be available for inspection by the superintendent.

  18. EFFECTIVE DATES

  19. We are late, so we do? • DON’T DO NOTHING • It’s the DFS and they have your number • Your clients will appreciate that you protect their data • File for the exemption • Do a GAP analysis of what it would take to come into compliance • Prepare to respond to the DFS as to why you missed the implementation date and how you are moving toward compliance • Hire a TPA/Lawyer/Outsourced IT to bring you to compliance • Complete the documentation and certify with DFS

  20. I’m an Entity/Have Multiple entities?

  21. I’m an Entity/Have Multiple entities? YOU MUST COMPLY WITH NYCRR • Create a login with the DFS and request a partial exemption. • Do a risk and GAP assessment to the limited regulations. • Decide if your capable of writing new company procedures? • If not hire a lawyer/TPA to complete the documentation. • Log back into the DFS site and certify that you are in compliance.

  22. I’m only an Independent Agent? YOU MUST COMPLY WITH NYCRR • Create a login with the DFS and request a partial exemption. • Do a risk and GAP assessment to the limited regulations. • Decide if your capable of writing new company procedures? • If not hire a lawyer/TPA to complete the documentation. • Log back into the DFS site and certify that you are in compliance.

  23. Going Forward • New Employees must be waived and certified within 30 Days • Each year you must certify compliance by March 15th for the previous year. • Each year you must perform an analysis of your procedures and document any changes • You must maintain records of all incidents

  24. Questions? mkaplan@filco.net rmurray@filco.net

More Related