NYDFS Cybersecurity Regulations

Similar documents
New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

NYS DFS Cybersecurity Requirements. Stephen Head Senior Manager Risk Advisory Services

NY DFS Cybersecurity Regulations August 8, 2017

Cybersecurity requirements for financial services companies

New York DFS Cybersecurity Regulation:

Mark Your Calendars: NY Cybersecurity Regulations to Go into Effect

Cybersecurity and Data Protection Developments

NY State s Cybersecurity Legislation Requirements for Risk Management, Security of Applications, and the Appointed CISO

EU GDPR & NEW YORK CYBERSECURITY REQUIREMENTS 3 KEYS TO SUCCESS

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

Financial Regulations, Enforcement & Cybersecurity

SECURITY & PRIVACY DOCUMENTATION

Cyber Risks in the Boardroom Conference

Getting Your Privacy House in Order

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

Checklist: Credit Union Information Security and Privacy Policies

Cyber Risks, Coverage, and the Board of Directors.

A Checklist for Cybersecurity and Data Privacy Diligence in TMT Transactions

Information Technology General Control Review

Overview Bank IT examination perspective Background information Elements of a sound plan Customer notifications

Privacy Statement. Your privacy and trust are important to us and this Privacy Statement ( Statement ) provides important information

The Common Controls Framework BY ADOBE

EU General Data Protection Regulation (GDPR) Achieving compliance

Canada Life Cyber Security Statement 2018

ADIENT VENDOR SECURITY STANDARD

Privacy Breach Policy

Employee Security Awareness Training Program

Google Cloud & the General Data Protection Regulation (GDPR)

Virginia State University Policies Manual. Title: Information Security Program Policy: 6110

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

Putting It All Together:

Oracle Data Cloud ( ODC ) Inbound Security Policies

New York s Cybersecurity Regulations for Financial Institutions & Health Care

Why you should adopt the NIST Cybersecurity Framework

Q&A for Citco Fund Services clients The General Data Protection Regulation ( GDPR )

An Overview of the Gramm-Leach-Bliley (GLB) Act and the Safeguards Rule

Regulation P & GLBA Training

Red Flags/Identity Theft Prevention Policy: Purpose

01.0 Policy Responsibilities and Oversight

Accelerate GDPR compliance with the Microsoft Cloud

Business continuity management and cyber resiliency

USER CORPORATE RULES. These User Corporate Rules are available to Users at any time via a link accessible in the applicable Service Privacy Policy.

Overview of Key E.U. and U.S. Privacy and Cybersecurity Laws. Brett Lockwood Smith, Gambrell & Russell, LLP May 15, 2018

Global Statement of Business Continuity

The Evolution of Data Governance Regulations and What IA Departments Need to Know FEBRUARY 27, 2018

Data Backup and Contingency Planning Procedure

PROCEDURE COMPREHENSIVE HEALTH SERVICES, INC

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

Aon Service Corporation Law Global Privacy Office. Aon Client Data Privacy Summary

Avanade s Approach to Client Data Protection

General Data Protection Regulation Frequently Asked Questions (FAQ) General Questions

Top Five Privacy and Data Security Issues for Nonprofit Organizations

HIPAA Security and Privacy Policies & Procedures

Table of Contents. Sample

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

The Role of the Data Protection Officer

Standard CIP Cyber Security Critical Cyber Asset Identification

Standard CIP Cyber Security Critical Cyber Asset Identification

Post-Secondary Institution Data-Security Overview and Requirements

2017 RIMS CYBER SURVEY

COMPLIANCE BRIEF: HOW VARONIS HELPS WITH PCI DSS 3.1

BHConsulting. Your trusted cybersecurity partner

Data Protection and GDPR

Addressing penetration testing and vulnerabilities, and adding verification measures

Cyber Security in M&A. Joshua Stone, CIA, CFE, CISA

Protecting your data. EY s approach to data privacy and information security

Controlled Document Page 1 of 6. Effective Date: 6/19/13. Approved by: CAB/F. Approved on: 6/19/13. Version Supersedes:

TRACKVIA SECURITY OVERVIEW

HIPAA Privacy, Security and Breach Notification

LCU Privacy Breach Response Plan

A company built on security

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Cyber Security Law --- How does it affect the business operations in China? Xun Yang Of Counsel, Commercial IP and Technology

PREPARING FOR SOC CHANGES. AN ARMANINO WHITE PAPER By Liam Collins, Partner-In-Charge, SOC Audit Practice

NE HIMSS Vendor Risk. October 9, 2015 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS

CYBER SECURITY POLICY REVISION: 12

Steps to Take Now to be Ready if Your Organization is Breached Thursday, February 22 2:30 p.m. 3:30 p.m.

Cybersecurity The Evolving Landscape

Performing a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH

Layer Security White Paper

A New Cyber Defense Management Regulation. Ophir Zilbiger, CRISC, CISSP SECOZ CEO

How do you track devices that have been approved for use? Are you automatically alerted if an unapproved device connects to the network?

Data Processor Agreement

Managing Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow

SWIFT Customer Security Programme

Development of your Company s Record Information System and Disaster Preparedness. The National Emergency Management Summit

Subject: University Information Technology Resource Security Policy: OUTDATED

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Cloud Computing Risks & Reality. Sandra Liepkalns, CRISC

SANMINA CORPORATION PRIVACY POLICY. Effective date: May 25, 2018

COMMENTARY. Federal Banking Agencies Propose Enhanced Cyber Risk Management Standards

Workday s Robust Privacy Program

TECHLAW AUSTRALIA. Update on cyber security and data protection. Thursday, 22 June Thursday, 22 June

PRIVACY STATEMENT +41 (0) Rue du Rhone , Martigny, Switzerland.

DFARS Cyber Rule Considerations For Contractors In 2018

China s New Cybersecurity Law

Information for entity management. April 2018

300 Riverview Plaza Odysseus Marcopolus, Chief Operating Officer Trenton, NJ POLICY NO: SUPERSEDES: N/A VERSION: 1.0

Transcription:

SPEAKERS

NYDFS Cybersecurity Regulations Lisa J. Sotto Hunton & Williams LLP (212) 309-1223 lsotto@hunton.com www.huntonprivacyblog.com March 9, 2017

The Privacy Team at Hunton & Williams Over 30 privacy professionals in the U.S., EU and Asia Our clients have included 6 of the Fortune 10 Representing clients across multiple industry sectors, including financial services, retail, consumer products, technology, advertising, transportation, publishing, energy, health care and pharmaceutical Centre for Information Policy Leadership at Hunton & Williams www.huntonprivacyblog.com @hunton_privacy 63834496 6

SWIFT Scottrade Morgan Stanley JPMorgan Chase Global Payments RBS Worldpay Key Financial Services Incidents 63834496 7

Roadmap Purpose and Scope of the Regulations Key Definitions Key Requirements Preparing for the Regulations 63834496 8

Purpose of the regulations Purpose and Scope of the Regulations Applies to covered entities that are required to operate under a license or charter under the NY banking, insurance or financial services law. Examples include: Banks chartered in NY Trust companies Money transmitters Mortgage brokers Does not apply to: National banks or banks chartered in other states Broker-dealers Federal credit unions 63834496 9

Key Definitions Cybersecurity Event Nonpublic Information Third Party Service Provider 63834496 10

Key Requirements Cybersecurity program Written cybersecurity policy, approved by senior officer or the Board CISO, to report to the Board Penetration testing, vulnerability assessments and audit trails Periodic risk assessments Service provider policy Limits on data retention Encryption Written incident response plan Notification to DFS for cybersecurity events and annual certification of compliance 63834496 11

Cybersecurity Program Cybersecurity program must be based on the covered entity s risk assessment and be designed to: identify and assess internal and external cybersecurity risks use defensive infrastructure and policies to protect the covered entity s information systems and data detect cybersecurity events respond to identified cybersecurity events recover and restore normal operations fulfill applicable regulatory reporting obligations 63834496 12

Written Cybersecurity Policy Covered entities must have a written policy based on a risk assessment Policy must be approved by a senior officer or the Board Must address such issues as: access controls and identity management business continuity and disaster recovery planning and resources systems and network security and monitoring physical security and environmental controls customer data privacy vendor and third party service provider management Incident response 64049663 13

Chief Information Security Officer and Cybersecurity Personnel CISO Individual responsible for overseeing and implementing the cybersecurity program and policy Can be employed by an affiliate or third party service provider of the covered entity Must report annually in writing to the Board of Directors Cybersecurity Personnel 63834496 Must have sufficient cybersecurity training and updates Must verify that they take steps to maintain current knowledge of changing cybersecurity threats and measures 14

Annual penetration testing Penetration Testing, Vulnerability Assessments, Audit Trails and Risk Assessment Bi-annual vulnerability assessments Audit trails designed to: Reconstruct material financial transactions sufficient to support the covered entity s operations and Detect and respond to cybersecurity events that have a reasonable likelihood of materially harming the covered entity's operations Audit trails must be retained for 5 years Risk assessment must be performed periodically and updated to address changes to Information Systems, Nonpublic Information or business operations 63834496 15

Service Provider Policy, Data Retention and Encryption Service providers: Service provider policy must address minimum cybersecurity practices of vendors Due diligence Contractual representations and warranties Data retention limitations: Nonpublic Information should be disposed of periodically if it is no longer needed for business operations or other legitimate business purposes, unless required by law Encryption of Nonpublic Information at rest and in transit Compensating controls are permitted if reviewed and approved by the CISO 63834496 16

Must address such issues as: Incident Response Plan the internal processes for responding to a cybersecurity event the goals of the incident response plan the definition of clear roles, responsibilities and levels of decision-making authority external and internal communications and information sharing Identification of requirements for the remediation of any identified weaknesses in information systems and associated controls documentation and reporting regarding cybersecurity events and related incident response activities the evaluation and revision of the incident response plan following a cybersecurity event 63834496 17

Notification to DFS Covered entities must notify DFS within 72 hours of: Cybersecurity events of which notice is required to be provided to any government or self-regulatory or supervisory body; and Cybersecurity events that have a reasonable likelihood of materially harming any material part of the normal operations of the covered entity Covered entity must submit an annual certification of compliance with the regulations by February 15 of each year 63834496 18

How do the NY Cybersecurity Regulations compare to GLB? Greater specificity for information security program GLB must include administrative, physical and technical safeguards NY must address 14 specific areas Increased personnel requirements GLB must designate an employee or employees to coordinate information security program NY must have CISO and cybersecurity personnel 63834496 19

How do the NY Cybersecurity Regulations compare to GLB? Greater specificity and timing requirements for testing and assessments GLB not specified; based on risk assessment NY annual penetration testing and bi-annual vulnerability assessments Notifying regulators following an incident GLB as soon as possible NY within 72 hours 63834496 20

Path to Compliance Covered entities have 180 days to comply, with specified exceptions: 1 year to conduct penetration testing, vulnerability assessments, risk assessment and cybersecurity training 18 months to comply with audit trail, data retention and encryption requirements 2 years to develop third party service provider compliance program Covered entities should conduct a gap analysis to understand compliance gaps Remediation should focus first on issues with earlier compliance deadlines 63834496 21

Lisa J. Sotto Partner Chair, Privacy and Cybersecurity Practice Hunton & Williams LLP (212) 309-1223 lsotto@hunton.com www.huntonprivacyblog.com 63834496 22

ABOUT ALLCLEAR ID WE HELP GREAT COMPANIES KEEP THEIR CUSTOMERS SAFE

CUSTOMER SECURITY REQUIREMENTS 78M Records 76M Records 5M Records 100TBs 78M Records 210K Records 24M Records 8M Records 40M Records 56M Records 114K Records 130M Records

REQUIREMENT FOR MULTI-FACTOR AUTHENTICATION

REQUIREMENT FOR MULTI-FACTOR AUTHENTICATION

BREACH REQUIRES A SPECIAL OPERATIONS TEAM

BUILDING A SUCCESSFUL PLAN 1 2 3

EXECUTING YOUR PLAN

HOW TO GET YOUR TEAM ENGAGED

QUESTIONS?

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback