SlideShare una empresa de Scribd logo

New York Department of Financial Services Cybersecurity Regulations

Descargar como PPTX, PDF
Shawn Tuma
Shawn Tuma

Getting in Shape – NYDFS Cyber Security Regulations Webinar Presenters: Shawn Tuma, Cybersecurity & Data Protection Attorney, Scheef & Stone LLP | Bill Belcher, VP Americas, Boldon James In an initiative to protect New York’s financial services industry, a new State regulation has been introduced to protect consumers and financial institutions from cyber-attacks. Effective March 1, 2017, this risk-driven regulation requires all financial services institutions regulated by the Department of Financial Services (DFS) to establish and maintain a cyber security program that will protect both customers’ private data and the technology that supports this. The impact stretches down through the supply chain, as any organization that conducts business with the NYC financial services sector has to adopt the same level of data protection. Watch this webcast to learn: The key requirements of the NYC Cyber security regulation How compliance is about process first, then people and technology What organizations need to be doing to ensure they comply How data classification can help ensure compliance NYDFS Cybersecurity Regulations (23 NYCRR 500) New York is one of the biggest financial hubs in the world; as you can imagine where there is sensitive financial information, there are people who want to get their hands on it. It is for this reason major financial firms operating in New York will face stiff cyber security obligations under the new New York Department of Financial Services Cybersecurity Regulations (23 NYCRR 500). This regulation will apply to firms holding a banking, insurance or financial services licence to operate in New York. 23 NYCRR 500 has been effective as of March 1st 2017, although firms have 180 days from this introduction date to change internal systems in order to meet new compliance and regulation standards. This fact sheet outlines: 23 NYCRR 500 overview Key dates for covered entities Key tasks for compliance How Boldon James can help Please complete the adjoining form to request it.

Derecho
1 de 29
Cybersecurity Regulations Getting in Shape: New York Department of Financial Services Bill Belcher VP Americas, Boldon James Shawn Tuma Cybersecurity & Data Privacy Attorney, Scheef & Stone General Counsel, Cyber Future Foundation
“Security and IT protect companies’ data; Legal protects companies from their data.” -Shawn Tuma
“Classification is the foundation for all data security, including DLP. Without data classification in play, it’s impossible to know what data to protect.” -Boldon James
Introduction • Cybersecurity threat is ubiquitous. • New York is a major international financial hub. • New York Department of Financial Services (DFS) • Developed Proposed Cybersecurity Requirements for Financial Services Companies. • Released for comment on September 13, 2016 • Effective date 1/1/17; enforcement date 7/1/17) • Comments resulted in substantial revision • Revised Cybersecurity Requirements for Financial Services Companies (Cybersecurity Regulations) • Released final on December 28, 2016 • Effective date 3/1/17; enforcement date 8/28/17 • 23 NYCRR 500 • Exemption MechanismNEW YORK DEPARTMENT OF FINANCIAL SERVICES CYBERSECURITY REGULATIONS
Key dates for Covered Entities March 1, 2017 Law becomes effective August 28, 2017 Must be in compliance September 27, 2017 Deadline for filing Notices of Exemption under 23 NYCRR 500.19(e) February 15, 2018 Deadline for Covered Entities to submit first certification under 23 NYCRR 500.17(b) March 1, 2018 One year transition period ends, must be in compliance with sections 500.04(b), 500.05, 500.09, 500.12, and 500.14(b) September 3, 2018 Eighteen month transition period ends, must be in compliance with sections 500.06, 500.08, 500.13, 500.14(a), and 500.15 March 1, 2019 Two year transition period ends, must be in compliance with section 500.11 NEW YORK DEPARTMENT OF FINANCIAL SERVICES CYBERSECURITY REGULATIONS
Which businesses are impacted? • The Cybersecurity Regulations can impact businesses globally, even if they do not do business in New York. • Apply directly to any Covered Entity. • Apply indirectly to Third Party Service Provider(s) of the Covered Entity, through requirements on the Covered Entity to do business with the Third Party Service Provider. NEW YORK DEPARTMENT OF FINANCIAL SERVICES CYBERSECURITY REGULATIONS
Which businesses are impacted? • Covered Entity means any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking law, the Insurance Law or the Financial Services Law. • Person is any non-governmental entity. • Covered Entities include these doing business in NY: • Banks and trust companies • Credit unions • Foreign bank branches • Licensed lenders • Health insurers • Life insurance companies • Property and casualty • Insurance companies • Licensed agents & brokers • Savings and loan associations • Bail bond agents • Budget planners • Charitable foundations • Check cashers • Holding companies • Investment companies • Money transmitters • New York State Regulated Corporations • Service Contract Providers (198 on website lookup) NEW YORK DEPARTMENT OF FINANCIAL SERVICES CYBERSECURITY REGULATIONS
Which businesses are impacted? Exemptions – These Covered Entities are exempt from all, or designated parts of Cybersecurity Regulations, but must file for exemption: • Exemption from certain sections is available to Covered Entities with: • Fewer than 10 employees, including independent contractors, of the CE or its Affiliates located in NY or responsible for business of the CE; • Less than $5,000,000 in gross annual revenue in each of the last three fiscal years from New York business operations of the CE and its Affiliates; or • Less than $10,000,000 in year-end total assets, calculated in accordance with generally accepted accounting principles, including assets of all Affiliates. • An employee, agent, representative or designee of a CE covered under its cybersecurity program. • A CE that has no Information System or Nonpublic Information and is not required to, exempt from certain sections. • Additional discrete exemptions. NEW YORK DEPARTMENT OF FINANCIAL SERVICES CYBERSECURITY REGULATIONS
Which businesses are impacted? • Third Party Service Provider(s) means “a Person that (i) is not an Affiliate of the Covered Entity, (ii) provides services to the Covered Entity, and (iii) maintains, processes or otherwise is permitted access to Nonpublic Information through its provision of services to the Covered Entity. • Nonpublic Information is all electronic information that is not publicly available and is sensitive business information of the Covered Entity, sensitive identifying information of an individual, or health care related information of an individual. • Section 500.11 requires a Covered Entity to ensure its Information Systems and Nonpublic Information are secured when accessed by or entrusted to TPSPs by risk assessments, written policies and procedures, contractual protections, representations and warranties, due diligence, and periodic assessments of the TPSP for adequacy. NEW YORK DEPARTMENT OF FINANCIAL SERVICES CYBERSECURITY REGULATIONS
Key Defined Terms • Cybersecurity Event means any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an Information System or information stored on such Information System. • Information System means a discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of electronic information, as well as any specialized system such as industrial/process control systems, telephone switching and private branch exchange systems, and environmental control systems. • Nonpublic Information is all electronic information that is not publicly available and is sensitive business information of the Covered Entity, sensitive identifying information of an individual, or health care related information of an individual. • Third Party Service Provider(s) means “a Person that (i) is not an Affiliate of the Covered Entity, (ii) provides services to the Covered Entity, and (iii) maintains, processes or otherwise is permitted access to Nonpublic Information through its provision of services to the Covered Entity.NEW YORK DEPARTMENT OF FINANCIAL SERVICES CYBERSECURITY REGULATIONS
What do the Cybersecurity Regulations require, generally? They provide an outline of essential minimum standards, designate who should lead the process, and mandate top down buy-in by management and the Board of Directors: 1. Each Covered Entity must assess its unique risk profile and design a program that addresses its risks in a robust fashion. 2. Each Covered Entity must designate a qualified individual to serve as its Chief Information Security Officer responsible for overseeing and implementing its cybersecurity program. 3. Each Covered Entity’s senior management must be responsible for its cybersecurity program and file an annual certification confirming compliance with the Cybersecurity Regulations. NEW YORK DEPARTMENT OF FINANCIAL SERVICES CYBERSECURITY REGULATIONS
Cybersecurity Program Section 500.02 “Each Covered Entity shall maintain a cybersecurity program designed to protect the confidentiality, integrity and availability of the Covered Entity’s Information Systems.” • Shall be based on its Risk Assessment and designed to perform these core functions: • Identify and assess internal and external risks; • Use defensive infrastructure and policies and procedures to protect IS and NPI from unauthorized access, use, or malicious acts; • Detect Cybersecurity Events; • Respond to identified or detected Cybersecurity Events and mitigate negative effects; • Recover from Cybersecurity Events and restore normal operations and services; and • Fulfill applicable regulatory reporting obligations. • Keep documentation; May adopt Affiliate’s CP.NEW YORK DEPARTMENT OF FINANCIAL SERVICES CYBERSECURITY REGULATIONS
Cybersecurity Policy Section 500.03 “Each Covered Entity shall implement and maintain a written policy or policies, approved by a Senior Officer or the Covered Entity’s board of directors … setting forth the Covered Entity’s policies and procedures for the protection of its” IS and NPI. • Shall be based on its Risk Assessment and address these areas, as applicable: • Information security • Data governance and classification • Asset inventory and device management • Access controls and identity management • Business continuity and disaster recovery planning and resources • Systems operations and availability concerns • Systems and network security • Systems and network monitoring • Systems and application development and quality assurance • Physical security and environmental controls • Customer data privacy • Vendor and Third Party Service Provider management • Risk assessment; and • Incident response NEW YORK DEPARTMENT OF FINANCIAL SERVICES CYBERSECURITY REGULATIONS
Chief Information Security Officer Section 500.04 “Each Covered Entity shall designate a qualified individual responsible for overseeing and implementing the Covered Entity’s cybersecurity program and enforcing its cybersecurity policy….” • CISO may be employee of CE or Affiliate, or • May use Third Party Service Provider, but CE shall • Retain responsibility for compliance; designate senior member of CE’s personnel responsible for direction and oversight; and Require Third Party Service Provider to maintain compliant Cybersecurity Program. The CISO shall report in writing at least annually to the CE’s board of directors (or equivalent) on CE’s cybersecurity program and material cybersecurity risks, considering as applicable: • The confidentiality of NPI, integrity and security of IS; • CE’s cybersecurity policies and procedures; • CE’s material cybersecurity risks; • Overall effectiveness of the CE’s cybersecurity program; and • Material Cybersecurity Events involving the CE.NEW YORK DEPARTMENT OF FINANCIAL SERVICES CYBERSECURITY REGULATIONS
Penetration Testing and Vulnerability Assessments Section 500.05 “The cybersecurity program for each Covered Entity shall include monitoring and testing, developed in accordance with the Covered Entity’s Risk Assessment, designed to access the effectiveness of the Covered Entity’s cybersecurity program.” Monitoring and testing shall include • Continuous monitoring (or equivalent to detect ongoing changes to IS), or • Periodic Penetration Testing and vulnerability assessments, as well as: • Annual Penetration Testing based on Risk Assessment; and • Bi-annual vulnerability assessments that include systemic scans or reviews to identify publicly known vulnerabilities, based on the Risk Assessment. NEW YORK DEPARTMENT OF FINANCIAL SERVICES CYBERSECURITY REGULATIONS
Audit Trail Section 500.06 Covered Entities shall maintain systems that: • Are designed to reconstruct material financial transactions sufficient to support normal operations and obligations of the CE; and • Maintain these for 5 years. • Include audit trails designed to detect and respond to material Cybersecurity Events. • Maintain these for 3 years. NEW YORK DEPARTMENT OF FINANCIAL SERVICES CYBERSECURITY REGULATIONS
Access Privileges Section 500.07 Covered Entity’s cybersecurity program shall limit user access privileges to IS that provide access to NPI and shall periodically review such access privileges. NEW YORK DEPARTMENT OF FINANCIAL SERVICES CYBERSECURITY REGULATIONS
Application Security Section 500.08 Covered Entity’s cybersecurity program shall include, • Written procedures, guidelines and standards to ensure the use of secure development practices for in-house developed applications utilized by the CE; and • Procedures for evaluating, assessing or testing the security of externally developed applications utilized by the CE in its technology environment. • All such procedures, guidelines and standards shall be periodically reviewed, assessed and updated by the CISO. NEW YORK DEPARTMENT OF FINANCIAL SERVICES CYBERSECURITY REGULATIONS
Risk Assessment Section 500.09 “Each Covered Entity shall conduct a periodic Risk Assessment of the Covered Entity’s Information Systems sufficient to inform the design of the cybersecurity program ….” Shall … • Update as reasonably necessary to address changes in its IS, NPI, or business operations. • Allow for revision of controls to respond to technological developments and evolving threats and consider particular risks of CE’s business operations, NPI collected or stored, IS utilized, and effectiveness of controls to protect NPI / IS. • Carry out in accordance with written policies and procedures and be documented, including: • Criteria for evaluation and categorization of identified cybersecurity risks or threats facing CE; • Criteria for assessing the confidentiality, integrity, security, and availability of IS / NPI, adequacy of existing controls concerning identified risks; and • Describe how identified risks will be mitigated or accepted based on the Risk Assessment and how the cybersecurity program will address the risks. NEW YORK DEPARTMENT OF FINANCIAL SERVICES CYBERSECURITY REGULATIONS
Cybersecurity Personnel and Intelligence Section 500.10 In addition to CISO, CEs shall • Have qualified cybersecurity personnel to manage its cybersecurity risks, perform services or oversee performance of cybersecurity program; • Provide cybersecurity personnel with appropriate updates and training; and • Verify that key cybersecurity personnel take steps to maintain current knowledge of changing cybersecurity threats and countermeasures. • CE may use Affiliate or TPSP for this. NEW YORK DEPARTMENT OF FINANCIAL SERVICES CYBERSECURITY REGULATIONS
Third Party Service Provider Security Policy Section 500.11 “Each Covered Entity shall implement written policies and procedures designed to ensure the security of Information Systems and Nonpublic Information that are accessible to, or held by, Third Party Service Providers.” • P&P should be based on CE’s Risk Assessment and address the following, as applicable: • The identification and risk assessment of TPSPs; • Minimum CP required by TPSP to do business with CE; • Due diligence process used to evaluate the adequacy of CP by such TPSP; • Periodic assessment of such TPSP based on risk they present and continued adequacy of their CP. • P&P shall include relevant guidelines for due diligence and/or contractual protections relating to TPSP and applicable guidelines addressing: • TPSP’s P&P for access controls and MFA to IS / NPI • TPSP’s P&P for use of encryption in transit and at rest; • Notice to be provided to CE for Cybersecurity Event; and • Reps and warranties addressing TPSP’s cybersecurity P&PNEW YORK DEPARTMENT OF FINANCIAL SERVICES CYBERSECURITY REGULATIONS
Multi-Factor Authentication Section 500.12 • Based on its Risk Assessment, CE shall use effective controls, which may include MFA or Risk-Based Authentication, to protect against unauthorized access to NPI or IS. • MFA shall be utilized for any individual accessing the CE’s internal networks from an external network, unless CE’s CISO has approved in writing the use of reasonably equivalent or more secure access controls. NEW YORK DEPARTMENT OF FINANCIAL SERVICES CYBERSECURITY REGULATIONS
Limitations on Data Retention Section 500.13 • As part of its cybersecurity program, each CE shall include policies and procedures for the secure disposal on a periodic basis of any NPI no longer needed, • Unless such NPI is required to be retained or targeted disposal is not reasonably feasible. NEW YORK DEPARTMENT OF FINANCIAL SERVICES CYBERSECURITY REGULATIONS
Training and Monitoring Section 500.14 As part of its cybersecurity program, CEs shall: • “implement risk-based policies, procedures and controls designed to monitor the activity of Authorized Users and detect unauthorized access or use of, or tampering with, Nonpublic Information by such Authorized Users;” and • “provide regular cybersecurity awareness training for all personnel that is updated to reflect risks identified by the Covered Entity in its Risk Assessment.” NEW YORK DEPARTMENT OF FINANCIAL SERVICES CYBERSECURITY REGULATIONS
Encryption of Nonpublic Information Section 500.15 As part of its cybersecurity program, based on its Risk Assessment, CEs shall implement controls, including encryption, to protect NPI held or transmitted by the CE both in transit over external networks and at rest. • CE may use effective alternate compensating controls reviewed and approved by its CISO if it determines it is infeasible to use, • Encryption of NPI in transit over external networks; or • Encryption of NPI at rest. • CISO must review this feasibility determination at least annually. NEW YORK DEPARTMENT OF FINANCIAL SERVICES CYBERSECURITY REGULATIONS
Incident Response Plan Section 500.16 As part of its cybersecurity program, CE shall establish a written incident response plan designed to promptly respond to, and recover from, any material Cybersecurity Event. • It shall address: • Internal processes for responding; • Goals of the IRP; • Definition of clear roles, responsibilities and levels of decision-making authority; • External and internal communications and information sharing; • Identification of requirements for the remediation of any identified weaknesses in the IS and associated controls; • Documentation and reporting regarding Cybersecurity Events and related incident response activities; and • Evaluation and revision of IRP following a Cybersecurity Event. NEW YORK DEPARTMENT OF FINANCIAL SERVICES CYBERSECURITY REGULATIONS
Notices to Superintendent Section 500.17 2 types of Notices are required: • Event notification: CE shall notify the superintendent as promptly as possible but in no event later than 72 hours from a determination that a Cybersecurity Event has occurred that either: • Impacts the CE and require notice to be provided to any government body, self-regulatory agency, or any other supervisory body; or • Has a reasonable likelihood of materially harming any material part of the CE’s normal operations. • Annual reporting: On February 15 of each year, CE shall provide the written statement (App. A) for the prior year certifying compliance with these Regulations: • Signed by Senior Officer or Chairman of Board; • Maintain for 5 years for examination, all records, schedules and data supporting certification; • Where deficiencies identified requiring improvement, shall document current and future efforts to remediate. NEW YORK DEPARTMENT OF FINANCIAL SERVICES CYBERSECURITY REGULATIONS
Enforcement Section 500.20 “This regulation will be enforced by the superintendent pursuant to, and is not intended to limit, the superintendent’s authority under any applicable laws.” The New York Department of Financial Services has very broad authority to investigate civil matters and, through its Criminal Investigations Bureau, criminal matters as well. NEW YORK DEPARTMENT OF FINANCIAL SERVICES CYBERSECURITY REGULATIONS
FAQ’s Frequently Asked Questions: http://www.dfs.ny.gov/about/cybersecurity_faqs.htm NEW YORK DEPARTMENT OF FINANCIAL SERVICES CYBERSECURITY REGULATIONS

Recomendados

The Legal Case for Cybersecurity
The Legal Case for CybersecurityThe Legal Case for Cybersecurity
The Legal Case for CybersecurityShawn Tuma
 
NYS DFS CyberSecurity Regulations
NYS DFS CyberSecurity RegulationsNYS DFS CyberSecurity Regulations
NYS DFS CyberSecurity RegulationsJon Bosco
 
How to Approach the NYDFS Proposed Cybersecurity Requirements
How to Approach the NYDFS Proposed Cybersecurity RequirementsHow to Approach the NYDFS Proposed Cybersecurity Requirements
How to Approach the NYDFS Proposed Cybersecurity RequirementsKyle Brown
 
NYDFS Cybersecurity Regulations - 23 NYCRR Part 500
NYDFS Cybersecurity Regulations - 23 NYCRR Part 500NYDFS Cybersecurity Regulations - 23 NYCRR Part 500
NYDFS Cybersecurity Regulations - 23 NYCRR Part 500Shawn Tuma
 
Cybersecurity: What does Cyber Insurance Cover?
Cybersecurity: What does Cyber Insurance Cover?Cybersecurity: What does Cyber Insurance Cover?
Cybersecurity: What does Cyber Insurance Cover?Next Dimension Inc.
 
How your nonprofit can avoid data breaches and ensure privacy
How your nonprofit can avoid data breaches and ensure privacyHow your nonprofit can avoid data breaches and ensure privacy
How your nonprofit can avoid data breaches and ensure privacyTechSoup Canada
 
A guide to Sustainable Cyber Security
A guide to Sustainable Cyber SecurityA guide to Sustainable Cyber Security
A guide to Sustainable Cyber SecurityErnest Staats
 
SEC OCIE - Cybersecurity Focus Areas, Guidance, and Best Practices
SEC OCIE - Cybersecurity Focus Areas, Guidance, and Best PracticesSEC OCIE - Cybersecurity Focus Areas, Guidance, and Best Practices
SEC OCIE - Cybersecurity Focus Areas, Guidance, and Best PracticesKroll
 

Recomendados

The Legal Case for Cybersecurity
The Legal Case for CybersecurityThe Legal Case for Cybersecurity
The Legal Case for CybersecurityShawn Tuma
 
NYS DFS CyberSecurity Regulations
NYS DFS CyberSecurity RegulationsNYS DFS CyberSecurity Regulations
NYS DFS CyberSecurity RegulationsJon Bosco
 
How to Approach the NYDFS Proposed Cybersecurity Requirements
How to Approach the NYDFS Proposed Cybersecurity RequirementsHow to Approach the NYDFS Proposed Cybersecurity Requirements
How to Approach the NYDFS Proposed Cybersecurity RequirementsKyle Brown
 
NYDFS Cybersecurity Regulations - 23 NYCRR Part 500
NYDFS Cybersecurity Regulations - 23 NYCRR Part 500NYDFS Cybersecurity Regulations - 23 NYCRR Part 500
NYDFS Cybersecurity Regulations - 23 NYCRR Part 500Shawn Tuma
 
Cybersecurity: What does Cyber Insurance Cover?
Cybersecurity: What does Cyber Insurance Cover?Cybersecurity: What does Cyber Insurance Cover?
Cybersecurity: What does Cyber Insurance Cover?Next Dimension Inc.
 
How your nonprofit can avoid data breaches and ensure privacy
How your nonprofit can avoid data breaches and ensure privacyHow your nonprofit can avoid data breaches and ensure privacy
How your nonprofit can avoid data breaches and ensure privacyTechSoup Canada
 
A guide to Sustainable Cyber Security
A guide to Sustainable Cyber SecurityA guide to Sustainable Cyber Security
A guide to Sustainable Cyber SecurityErnest Staats
 
SEC OCIE - Cybersecurity Focus Areas, Guidance, and Best Practices
SEC OCIE - Cybersecurity Focus Areas, Guidance, and Best PracticesSEC OCIE - Cybersecurity Focus Areas, Guidance, and Best Practices
SEC OCIE - Cybersecurity Focus Areas, Guidance, and Best PracticesKroll
 
Kristina Tanasichuk: Presentation of GTSC/InfraGard Cyber Survey
Kristina Tanasichuk: Presentation of GTSC/InfraGard Cyber SurveyKristina Tanasichuk: Presentation of GTSC/InfraGard Cyber Survey
Kristina Tanasichuk: Presentation of GTSC/InfraGard Cyber SurveyGovernment Technology and Services Coalition
 
Emerging Trends in Information Security and Privacy
Emerging Trends in Information Security and PrivacyEmerging Trends in Information Security and Privacy
Emerging Trends in Information Security and Privacylgcdcpas
 
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2TechSoup Canada
 
Robert Nichols: Cybersecurity for Government Contractors
Robert Nichols: Cybersecurity for Government ContractorsRobert Nichols: Cybersecurity for Government Contractors
Robert Nichols: Cybersecurity for Government ContractorsGovernment Technology and Services Coalition
 
New York DFS proposed cybersecurity regulations
New York DFS proposed cybersecurity regulationsNew York DFS proposed cybersecurity regulations
New York DFS proposed cybersecurity regulationsBrunswick Group
 
The Science and Art of Cyber Incident Response (with Case Studies)
The Science and Art of Cyber Incident Response (with Case Studies)The Science and Art of Cyber Incident Response (with Case Studies)
The Science and Art of Cyber Incident Response (with Case Studies)Kroll
 
Don't let them take a byte
Don't let them take a byteDon't let them take a byte
Don't let them take a bytelgcdcpas
 
Emerging Trends in Information Privacy and Security
Emerging Trends in Information Privacy and SecurityEmerging Trends in Information Privacy and Security
Emerging Trends in Information Privacy and SecurityJessica Santamaria
 
Information Security Intelligence
Information Security IntelligenceInformation Security Intelligence
Information Security Intelligenceguest08b1e6
 
Cybersecurity and Privacy for In-House Counsel: How the New Regulations and G...
Cybersecurity and Privacy for In-House Counsel: How the New Regulations and G...Cybersecurity and Privacy for In-House Counsel: How the New Regulations and G...
Cybersecurity and Privacy for In-House Counsel: How the New Regulations and G...Shawn Tuma
 
Data breach-response-planning-laying-the-right-foundation
Data breach-response-planning-laying-the-right-foundationData breach-response-planning-laying-the-right-foundation
Data breach-response-planning-laying-the-right-foundationBradley Arant Boult Cummings LLP
 
Digital Forensics 101 – How is it used to protect an Organization’s Data?
Digital Forensics 101 – How is it used to protect an Organization’s Data?Digital Forensics 101 – How is it used to protect an Organization’s Data?
Digital Forensics 101 – How is it used to protect an Organization’s Data?PECB
 
Statewide Insurance Brokers - Cyber Insurance 101
Statewide Insurance Brokers - Cyber Insurance 101Statewide Insurance Brokers - Cyber Insurance 101
Statewide Insurance Brokers - Cyber Insurance 101Statewide Insurance Brokers
 
Ci2 cyber insurance presentation
Ci2 cyber insurance presentationCi2 cyber insurance presentation
Ci2 cyber insurance presentationEthan S. Burger
 
Cyber Security Planning: Preparing for a Data Breach
Cyber Security Planning: Preparing for a Data BreachCyber Security Planning: Preparing for a Data Breach
Cyber Security Planning: Preparing for a Data BreachFletcher Media
 
Protecting the Network From Yourself Using Defense in Depth
Protecting the Network From Yourself Using Defense in DepthProtecting the Network From Yourself Using Defense in Depth
Protecting the Network From Yourself Using Defense in DepthPECB
 
CMW Cyber Liability Presentation
CMW Cyber Liability PresentationCMW Cyber Liability Presentation
CMW Cyber Liability PresentationSean Graham
 
CYBER SECURITY FOR LAW FIRMS
CYBER SECURITY FOR LAW FIRMSCYBER SECURITY FOR LAW FIRMS
CYBER SECURITY FOR LAW FIRMSScott Suhy
 
Cyber security cgi moving forward
Cyber security cgi moving forwardCyber security cgi moving forward
Cyber security cgi moving forwardNils Thulin
 
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security Pros
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security ProsPrivacy & Pwnage: Privacy, Data Breaches and Lessons for Security Pros
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security ProsNicholas Van Exan
 
New Ohio Cybersecurity Law Requirements
New Ohio Cybersecurity Law RequirementsNew Ohio Cybersecurity Law Requirements
New Ohio Cybersecurity Law RequirementsSkoda Minotti
 
New York Cybersecurity Requirements for Financial Services Companies
New York Cybersecurity Requirements for Financial Services CompaniesNew York Cybersecurity Requirements for Financial Services Companies
New York Cybersecurity Requirements for Financial Services CompaniesCitrin Cooperman
 

Más contenido relacionado

La actualidad más candente

Emerging Trends in Information Security and Privacy
Emerging Trends in Information Security and PrivacyEmerging Trends in Information Security and Privacy
Emerging Trends in Information Security and Privacylgcdcpas
 
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2TechSoup Canada
 
New York DFS proposed cybersecurity regulations
New York DFS proposed cybersecurity regulationsNew York DFS proposed cybersecurity regulations
New York DFS proposed cybersecurity regulationsBrunswick Group
 
The Science and Art of Cyber Incident Response (with Case Studies)
The Science and Art of Cyber Incident Response (with Case Studies)The Science and Art of Cyber Incident Response (with Case Studies)
The Science and Art of Cyber Incident Response (with Case Studies)Kroll
 
Don't let them take a byte
Don't let them take a byteDon't let them take a byte
Don't let them take a bytelgcdcpas
 
Emerging Trends in Information Privacy and Security
Emerging Trends in Information Privacy and SecurityEmerging Trends in Information Privacy and Security
Emerging Trends in Information Privacy and SecurityJessica Santamaria
 
Information Security Intelligence
Information Security IntelligenceInformation Security Intelligence
Information Security Intelligenceguest08b1e6
 
Cybersecurity and Privacy for In-House Counsel: How the New Regulations and G...
Cybersecurity and Privacy for In-House Counsel: How the New Regulations and G...Cybersecurity and Privacy for In-House Counsel: How the New Regulations and G...
Cybersecurity and Privacy for In-House Counsel: How the New Regulations and G...Shawn Tuma
 
Digital Forensics 101 – How is it used to protect an Organization’s Data?
Digital Forensics 101 – How is it used to protect an Organization’s Data?Digital Forensics 101 – How is it used to protect an Organization’s Data?
Digital Forensics 101 – How is it used to protect an Organization’s Data?PECB
 
Statewide Insurance Brokers - Cyber Insurance 101
Statewide Insurance Brokers - Cyber Insurance 101Statewide Insurance Brokers - Cyber Insurance 101
Statewide Insurance Brokers - Cyber Insurance 101Statewide Insurance Brokers
 
Ci2 cyber insurance presentation
Ci2 cyber insurance presentationCi2 cyber insurance presentation
Ci2 cyber insurance presentationEthan S. Burger
 
Cyber Security Planning: Preparing for a Data Breach
Cyber Security Planning: Preparing for a Data BreachCyber Security Planning: Preparing for a Data Breach
Cyber Security Planning: Preparing for a Data BreachFletcher Media
 
Protecting the Network From Yourself Using Defense in Depth
Protecting the Network From Yourself Using Defense in DepthProtecting the Network From Yourself Using Defense in Depth
Protecting the Network From Yourself Using Defense in DepthPECB
 
CMW Cyber Liability Presentation
CMW Cyber Liability PresentationCMW Cyber Liability Presentation
CMW Cyber Liability PresentationSean Graham
 
CYBER SECURITY FOR LAW FIRMS
CYBER SECURITY FOR LAW FIRMSCYBER SECURITY FOR LAW FIRMS
CYBER SECURITY FOR LAW FIRMSScott Suhy
 
Cyber security cgi moving forward
Cyber security cgi moving forwardCyber security cgi moving forward
Cyber security cgi moving forwardNils Thulin
 
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security Pros
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security ProsPrivacy & Pwnage: Privacy, Data Breaches and Lessons for Security Pros
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security ProsNicholas Van Exan
 

La actualidad más candente (20)

Kristina Tanasichuk: Presentation of GTSC/InfraGard Cyber Survey
Kristina Tanasichuk: Presentation of GTSC/InfraGard Cyber SurveyKristina Tanasichuk: Presentation of GTSC/InfraGard Cyber Survey
Kristina Tanasichuk: Presentation of GTSC/InfraGard Cyber Survey
 
Emerging Trends in Information Security and Privacy
Emerging Trends in Information Security and PrivacyEmerging Trends in Information Security and Privacy
Emerging Trends in Information Security and Privacy
 
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
 
Robert Nichols: Cybersecurity for Government Contractors
Robert Nichols: Cybersecurity for Government ContractorsRobert Nichols: Cybersecurity for Government Contractors
Robert Nichols: Cybersecurity for Government Contractors
 
New York DFS proposed cybersecurity regulations
New York DFS proposed cybersecurity regulationsNew York DFS proposed cybersecurity regulations
New York DFS proposed cybersecurity regulations
 
The Science and Art of Cyber Incident Response (with Case Studies)
The Science and Art of Cyber Incident Response (with Case Studies)The Science and Art of Cyber Incident Response (with Case Studies)
The Science and Art of Cyber Incident Response (with Case Studies)
 
Don't let them take a byte
Don't let them take a byteDon't let them take a byte
Don't let them take a byte
 
Emerging Trends in Information Privacy and Security
Emerging Trends in Information Privacy and SecurityEmerging Trends in Information Privacy and Security
Emerging Trends in Information Privacy and Security
 
Information Security Intelligence
Information Security IntelligenceInformation Security Intelligence
Information Security Intelligence
 
Cybersecurity and Privacy for In-House Counsel: How the New Regulations and G...
Cybersecurity and Privacy for In-House Counsel: How the New Regulations and G...Cybersecurity and Privacy for In-House Counsel: How the New Regulations and G...
Cybersecurity and Privacy for In-House Counsel: How the New Regulations and G...
 
Data breach-response-planning-laying-the-right-foundation
Data breach-response-planning-laying-the-right-foundationData breach-response-planning-laying-the-right-foundation
Data breach-response-planning-laying-the-right-foundation
 
Digital Forensics 101 – How is it used to protect an Organization’s Data?
Digital Forensics 101 – How is it used to protect an Organization’s Data?Digital Forensics 101 – How is it used to protect an Organization’s Data?
Digital Forensics 101 – How is it used to protect an Organization’s Data?
 
Statewide Insurance Brokers - Cyber Insurance 101
Statewide Insurance Brokers - Cyber Insurance 101Statewide Insurance Brokers - Cyber Insurance 101
Statewide Insurance Brokers - Cyber Insurance 101
 
Ci2 cyber insurance presentation
Ci2 cyber insurance presentationCi2 cyber insurance presentation
Ci2 cyber insurance presentation
 
Cyber Security Planning: Preparing for a Data Breach
Cyber Security Planning: Preparing for a Data BreachCyber Security Planning: Preparing for a Data Breach
Cyber Security Planning: Preparing for a Data Breach
 
Protecting the Network From Yourself Using Defense in Depth
Protecting the Network From Yourself Using Defense in DepthProtecting the Network From Yourself Using Defense in Depth
Protecting the Network From Yourself Using Defense in Depth
 
CMW Cyber Liability Presentation
CMW Cyber Liability PresentationCMW Cyber Liability Presentation
CMW Cyber Liability Presentation
 
CYBER SECURITY FOR LAW FIRMS
CYBER SECURITY FOR LAW FIRMSCYBER SECURITY FOR LAW FIRMS
CYBER SECURITY FOR LAW FIRMS
 
Cyber security cgi moving forward
Cyber security cgi moving forwardCyber security cgi moving forward
Cyber security cgi moving forward
 
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security Pros
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security ProsPrivacy & Pwnage: Privacy, Data Breaches and Lessons for Security Pros
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security Pros
 

Similar a New York Department of Financial Services Cybersecurity Regulations

New Ohio Cybersecurity Law Requirements
New Ohio Cybersecurity Law RequirementsNew Ohio Cybersecurity Law Requirements
New Ohio Cybersecurity Law RequirementsSkoda Minotti
 
New York Cybersecurity Requirements for Financial Services Companies
New York Cybersecurity Requirements for Financial Services CompaniesNew York Cybersecurity Requirements for Financial Services Companies
New York Cybersecurity Requirements for Financial Services CompaniesCitrin Cooperman
 
Cyber Risks Looming in the Transportation Industry
Cyber Risks Looming in the Transportation IndustryCyber Risks Looming in the Transportation Industry
Cyber Risks Looming in the Transportation IndustryHNI Risk Services
 
Cyber Insurance CLE
Cyber Insurance CLE Cyber Insurance CLE
Cyber Insurance CLE Sarah Stogner
 
Crossing the streams: How security professionals can leverage the NZ Privacy ...
Crossing the streams: How security professionals can leverage the NZ Privacy ...Crossing the streams: How security professionals can leverage the NZ Privacy ...
Crossing the streams: How security professionals can leverage the NZ Privacy ...Chris Hails
 
A Brave New World of Cyber Security and Data Breach
A Brave New World of Cyber Security and Data BreachA Brave New World of Cyber Security and Data Breach
A Brave New World of Cyber Security and Data BreachJim Brashear
 
SEC Cybersecurity Disclosure Guidelines
SEC Cybersecurity Disclosure GuidelinesSEC Cybersecurity Disclosure Guidelines
SEC Cybersecurity Disclosure GuidelinesResilient Systems
 
Raising the Bar for Email Security: Confidentiality and Privacy Standards tha...
Raising the Bar for Email Security: Confidentiality and Privacy Standards tha...Raising the Bar for Email Security: Confidentiality and Privacy Standards tha...
Raising the Bar for Email Security: Confidentiality and Privacy Standards tha...Jim Brashear
 
Rick Borden, Chief Privacy Officer, White & Williams LLP - #InfoGov17 - Cyber...
Rick Borden, Chief Privacy Officer, White & Williams LLP - #InfoGov17 - Cyber...Rick Borden, Chief Privacy Officer, White & Williams LLP - #InfoGov17 - Cyber...
Rick Borden, Chief Privacy Officer, White & Williams LLP - #InfoGov17 - Cyber...ARMA International
 
Complying with Cybersecurity Regulations for IBM i Servers and Data
Complying with Cybersecurity Regulations for IBM i Servers and DataComplying with Cybersecurity Regulations for IBM i Servers and Data
Complying with Cybersecurity Regulations for IBM i Servers and DataPrecisely
 
EY thought leadership - SEC issues guidance on cybersecurity
EY thought leadership - SEC issues guidance on cybersecurityEY thought leadership - SEC issues guidance on cybersecurity
EY thought leadership - SEC issues guidance on cybersecurityJulien Boucher
 
Infocom security 2016 - Cromar Presentation
Infocom security 2016 - Cromar PresentationInfocom security 2016 - Cromar Presentation
Infocom security 2016 - Cromar PresentationEthos Media S.A.
 
Presentation for FPANJ Spring 2015 Conference
Presentation for FPANJ Spring 2015 ConferencePresentation for FPANJ Spring 2015 Conference
Presentation for FPANJ Spring 2015 ConferenceBill Despo
 
CBIZ Banking & Financial Services Hot Topics - January 2018
CBIZ Banking & Financial Services Hot Topics - January 2018CBIZ Banking & Financial Services Hot Topics - January 2018
CBIZ Banking & Financial Services Hot Topics - January 2018CBIZ, Inc.
 
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical GuideFLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical GuideBlack Duck by Synopsys
 
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...PECB
 
Privacy law-update-whitmeyer-tuffin
Privacy law-update-whitmeyer-tuffinPrivacy law-update-whitmeyer-tuffin
Privacy law-update-whitmeyer-tuffinWhitmeyerTuffin
 
Security and Privacy in Deals (altheim & mahajan)(6-3 -2015)
Security and Privacy in Deals (altheim & mahajan)(6-3 -2015)Security and Privacy in Deals (altheim & mahajan)(6-3 -2015)
Security and Privacy in Deals (altheim & mahajan)(6-3 -2015)AltheimPrivacy
 

Similar a New York Department of Financial Services Cybersecurity Regulations (20)

New Ohio Cybersecurity Law Requirements
New Ohio Cybersecurity Law RequirementsNew Ohio Cybersecurity Law Requirements
New Ohio Cybersecurity Law Requirements
 
New York Cybersecurity Requirements for Financial Services Companies
New York Cybersecurity Requirements for Financial Services CompaniesNew York Cybersecurity Requirements for Financial Services Companies
New York Cybersecurity Requirements for Financial Services Companies
 
Cyber Risks Looming in the Transportation Industry
Cyber Risks Looming in the Transportation IndustryCyber Risks Looming in the Transportation Industry
Cyber Risks Looming in the Transportation Industry
 
Cyber Insurance CLE
Cyber Insurance CLE Cyber Insurance CLE
Cyber Insurance CLE
 
Crossing the streams: How security professionals can leverage the NZ Privacy ...
Crossing the streams: How security professionals can leverage the NZ Privacy ...Crossing the streams: How security professionals can leverage the NZ Privacy ...
Crossing the streams: How security professionals can leverage the NZ Privacy ...
 
A Brave New World of Cyber Security and Data Breach
A Brave New World of Cyber Security and Data BreachA Brave New World of Cyber Security and Data Breach
A Brave New World of Cyber Security and Data Breach
 
SEC Cybersecurity Disclosure Guidelines
SEC Cybersecurity Disclosure GuidelinesSEC Cybersecurity Disclosure Guidelines
SEC Cybersecurity Disclosure Guidelines
 
Raising the Bar for Email Security: Confidentiality and Privacy Standards tha...
Raising the Bar for Email Security: Confidentiality and Privacy Standards tha...Raising the Bar for Email Security: Confidentiality and Privacy Standards tha...
Raising the Bar for Email Security: Confidentiality and Privacy Standards tha...
 
Rick Borden, Chief Privacy Officer, White & Williams LLP - #InfoGov17 - Cyber...
Rick Borden, Chief Privacy Officer, White & Williams LLP - #InfoGov17 - Cyber...Rick Borden, Chief Privacy Officer, White & Williams LLP - #InfoGov17 - Cyber...
Rick Borden, Chief Privacy Officer, White & Williams LLP - #InfoGov17 - Cyber...
 
Complying with Cybersecurity Regulations for IBM i Servers and Data
Complying with Cybersecurity Regulations for IBM i Servers and DataComplying with Cybersecurity Regulations for IBM i Servers and Data
Complying with Cybersecurity Regulations for IBM i Servers and Data
 
EY thought leadership - SEC issues guidance on cybersecurity
EY thought leadership - SEC issues guidance on cybersecurityEY thought leadership - SEC issues guidance on cybersecurity
EY thought leadership - SEC issues guidance on cybersecurity
 
Infocom security 2016 - Cromar Presentation
Infocom security 2016 - Cromar PresentationInfocom security 2016 - Cromar Presentation
Infocom security 2016 - Cromar Presentation
 
Presentation for FPANJ Spring 2015 Conference
Presentation for FPANJ Spring 2015 ConferencePresentation for FPANJ Spring 2015 Conference
Presentation for FPANJ Spring 2015 Conference
 
Data Privacy
Data PrivacyData Privacy
Data Privacy
 
CBIZ Banking & Financial Services Hot Topics - January 2018
CBIZ Banking & Financial Services Hot Topics - January 2018CBIZ Banking & Financial Services Hot Topics - January 2018
CBIZ Banking & Financial Services Hot Topics - January 2018
 
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical GuideFLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
 
example
exampleexample
example
 
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
 
Privacy law-update-whitmeyer-tuffin
Privacy law-update-whitmeyer-tuffinPrivacy law-update-whitmeyer-tuffin
Privacy law-update-whitmeyer-tuffin
 
Security and Privacy in Deals (altheim & mahajan)(6-3 -2015)
Security and Privacy in Deals (altheim & mahajan)(6-3 -2015)Security and Privacy in Deals (altheim & mahajan)(6-3 -2015)
Security and Privacy in Deals (altheim & mahajan)(6-3 -2015)
 

Más de Shawn Tuma

Lifecycle: Responding to a Ransomware Attack - A Professional Breach Guide's ...
Lifecycle: Responding to a Ransomware Attack - A Professional Breach Guide's ...Lifecycle: Responding to a Ransomware Attack - A Professional Breach Guide's ...
Lifecycle: Responding to a Ransomware Attack - A Professional Breach Guide's ...Shawn Tuma
 
The Dark Side of Digital Engagement
The Dark Side of Digital EngagementThe Dark Side of Digital Engagement
The Dark Side of Digital EngagementShawn Tuma
 
Incident Response Planning - Lifecycle of Responding to a Ransomware Attack
Incident Response Planning - Lifecycle of Responding to a Ransomware AttackIncident Response Planning - Lifecycle of Responding to a Ransomware Attack
Incident Response Planning - Lifecycle of Responding to a Ransomware AttackShawn Tuma
 
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...Shawn Tuma
 
Reimagine Your Company Operating Again After a Ransomware Attack -- The Lifec...
Reimagine Your Company Operating Again After a Ransomware Attack -- The Lifec...Reimagine Your Company Operating Again After a Ransomware Attack -- The Lifec...
Reimagine Your Company Operating Again After a Ransomware Attack -- The Lifec...Shawn Tuma
 
The Role of Contracts in Privacy, Cybersecurity, and Data Breach
The Role of Contracts in Privacy, Cybersecurity, and Data BreachThe Role of Contracts in Privacy, Cybersecurity, and Data Breach
The Role of Contracts in Privacy, Cybersecurity, and Data BreachShawn Tuma
 
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...Shawn Tuma
 
Lawyers' Ethical Obligations for Cybersecurity
Lawyers' Ethical Obligations for CybersecurityLawyers' Ethical Obligations for Cybersecurity
Lawyers' Ethical Obligations for CybersecurityShawn Tuma
 
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...Shawn Tuma
 
Real World Cyber Risk. Understand it. Manage it.
Real World Cyber Risk. Understand it. Manage it.Real World Cyber Risk. Understand it. Manage it.
Real World Cyber Risk. Understand it. Manage it.Shawn Tuma
 
The Legal Case for Cyber Risk Management Programs and What They Should Include
The Legal Case for Cyber Risk Management Programs and What They Should IncludeThe Legal Case for Cyber Risk Management Programs and What They Should Include
The Legal Case for Cyber Risk Management Programs and What They Should IncludeShawn Tuma
 
Cyber Hygiene Checklist
Cyber Hygiene ChecklistCyber Hygiene Checklist
Cyber Hygiene ChecklistShawn Tuma
 
Cyber Incident Response Checklist
Cyber Incident Response ChecklistCyber Incident Response Checklist
Cyber Incident Response ChecklistShawn Tuma
 
Cybersecurity: Cyber Risk Management for Lawyers and Clients
Cybersecurity: Cyber Risk Management for Lawyers and ClientsCybersecurity: Cyber Risk Management for Lawyers and Clients
Cybersecurity: Cyber Risk Management for Lawyers and ClientsShawn Tuma
 
Cybersecurity is a Team Sport (SecureWorld - Dallas 2018)
Cybersecurity is a Team Sport (SecureWorld - Dallas 2018)Cybersecurity is a Team Sport (SecureWorld - Dallas 2018)
Cybersecurity is a Team Sport (SecureWorld - Dallas 2018)Shawn Tuma
 
Cybersecurity: Cyber Risk Management for Banks & Financial Institutions
Cybersecurity: Cyber Risk Management for Banks & Financial InstitutionsCybersecurity: Cyber Risk Management for Banks & Financial Institutions
Cybersecurity: Cyber Risk Management for Banks & Financial InstitutionsShawn Tuma
 
Something is Phishy: Cyber Scams and How to Avoid Them
Something is Phishy: Cyber Scams and How to Avoid ThemSomething is Phishy: Cyber Scams and How to Avoid Them
Something is Phishy: Cyber Scams and How to Avoid ThemShawn Tuma
 
Cybersecurity Fundamentals for Legal Professionals (and every other business)
Cybersecurity Fundamentals for Legal Professionals (and every other business)Cybersecurity Fundamentals for Legal Professionals (and every other business)
Cybersecurity Fundamentals for Legal Professionals (and every other business)Shawn Tuma
 
Cybersecurity Update
Cybersecurity UpdateCybersecurity Update
Cybersecurity UpdateShawn Tuma
 
Effective cybersecurity for small and midsize businesses
Effective cybersecurity for small and midsize businessesEffective cybersecurity for small and midsize businesses
Effective cybersecurity for small and midsize businessesShawn Tuma
 

Más de Shawn Tuma (20)

Lifecycle: Responding to a Ransomware Attack - A Professional Breach Guide's ...
Lifecycle: Responding to a Ransomware Attack - A Professional Breach Guide's ...Lifecycle: Responding to a Ransomware Attack - A Professional Breach Guide's ...
Lifecycle: Responding to a Ransomware Attack - A Professional Breach Guide's ...
 
The Dark Side of Digital Engagement
The Dark Side of Digital EngagementThe Dark Side of Digital Engagement
The Dark Side of Digital Engagement
 
Incident Response Planning - Lifecycle of Responding to a Ransomware Attack
Incident Response Planning - Lifecycle of Responding to a Ransomware AttackIncident Response Planning - Lifecycle of Responding to a Ransomware Attack
Incident Response Planning - Lifecycle of Responding to a Ransomware Attack
 
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
 
Reimagine Your Company Operating Again After a Ransomware Attack -- The Lifec...
Reimagine Your Company Operating Again After a Ransomware Attack -- The Lifec...Reimagine Your Company Operating Again After a Ransomware Attack -- The Lifec...
Reimagine Your Company Operating Again After a Ransomware Attack -- The Lifec...
 
The Role of Contracts in Privacy, Cybersecurity, and Data Breach
The Role of Contracts in Privacy, Cybersecurity, and Data BreachThe Role of Contracts in Privacy, Cybersecurity, and Data Breach
The Role of Contracts in Privacy, Cybersecurity, and Data Breach
 
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
 
Lawyers' Ethical Obligations for Cybersecurity
Lawyers' Ethical Obligations for CybersecurityLawyers' Ethical Obligations for Cybersecurity
Lawyers' Ethical Obligations for Cybersecurity
 
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
 
Real World Cyber Risk. Understand it. Manage it.
Real World Cyber Risk. Understand it. Manage it.Real World Cyber Risk. Understand it. Manage it.
Real World Cyber Risk. Understand it. Manage it.
 
The Legal Case for Cyber Risk Management Programs and What They Should Include
The Legal Case for Cyber Risk Management Programs and What They Should IncludeThe Legal Case for Cyber Risk Management Programs and What They Should Include
The Legal Case for Cyber Risk Management Programs and What They Should Include
 
Cyber Hygiene Checklist
Cyber Hygiene ChecklistCyber Hygiene Checklist
Cyber Hygiene Checklist
 
Cyber Incident Response Checklist
Cyber Incident Response ChecklistCyber Incident Response Checklist
Cyber Incident Response Checklist
 
Cybersecurity: Cyber Risk Management for Lawyers and Clients
Cybersecurity: Cyber Risk Management for Lawyers and ClientsCybersecurity: Cyber Risk Management for Lawyers and Clients
Cybersecurity: Cyber Risk Management for Lawyers and Clients
 
Cybersecurity is a Team Sport (SecureWorld - Dallas 2018)
Cybersecurity is a Team Sport (SecureWorld - Dallas 2018)Cybersecurity is a Team Sport (SecureWorld - Dallas 2018)
Cybersecurity is a Team Sport (SecureWorld - Dallas 2018)
 
Cybersecurity: Cyber Risk Management for Banks & Financial Institutions
Cybersecurity: Cyber Risk Management for Banks & Financial InstitutionsCybersecurity: Cyber Risk Management for Banks & Financial Institutions
Cybersecurity: Cyber Risk Management for Banks & Financial Institutions
 
Something is Phishy: Cyber Scams and How to Avoid Them
Something is Phishy: Cyber Scams and How to Avoid ThemSomething is Phishy: Cyber Scams and How to Avoid Them
Something is Phishy: Cyber Scams and How to Avoid Them
 
Cybersecurity Fundamentals for Legal Professionals (and every other business)
Cybersecurity Fundamentals for Legal Professionals (and every other business)Cybersecurity Fundamentals for Legal Professionals (and every other business)
Cybersecurity Fundamentals for Legal Professionals (and every other business)
 
Cybersecurity Update
Cybersecurity UpdateCybersecurity Update
Cybersecurity Update
 
Effective cybersecurity for small and midsize businesses
Effective cybersecurity for small and midsize businessesEffective cybersecurity for small and midsize businesses
Effective cybersecurity for small and midsize businesses
 

Último

Analysis of R V Kelkar's Criminal Procedure Code ppt- chapter 1 .pptx
Analysis of R V Kelkar's Criminal Procedure Code ppt- chapter 1 .pptxAnalysis of R V Kelkar's Criminal Procedure Code ppt- chapter 1 .pptx
Analysis of R V Kelkar's Criminal Procedure Code ppt- chapter 1 .pptxadvabhayjha2627
 
Understanding the Role of Labor Unions and Collective Bargaining
Understanding the Role of Labor Unions and Collective BargainingUnderstanding the Role of Labor Unions and Collective Bargaining
Understanding the Role of Labor Unions and Collective Bargainingbartzlawgroup1
 
一比一原版(CQU毕业证书)中央昆士兰大学毕业证如何办理
一比一原版(CQU毕业证书)中央昆士兰大学毕业证如何办理一比一原版(CQU毕业证书)中央昆士兰大学毕业证如何办理
一比一原版(CQU毕业证书)中央昆士兰大学毕业证如何办理Airst S
 
Elective Course on Forensic Science in Law
Elective Course on Forensic Science in LawElective Course on Forensic Science in Law
Elective Course on Forensic Science in LawNilendra Kumar
 
一比一原版(Monash毕业证书)澳洲莫纳什大学毕业证如何办理
一比一原版(Monash毕业证书)澳洲莫纳什大学毕业证如何办理一比一原版(Monash毕业证书)澳洲莫纳什大学毕业证如何办理
一比一原版(Monash毕业证书)澳洲莫纳什大学毕业证如何办理F La
 
一比一原版赫尔大学毕业证如何办理
一比一原版赫尔大学毕业证如何办理一比一原版赫尔大学毕业证如何办理
一比一原版赫尔大学毕业证如何办理Airst S
 
一比一原版(Carleton毕业证书)加拿大卡尔顿大学毕业证如何办理
一比一原版(Carleton毕业证书)加拿大卡尔顿大学毕业证如何办理一比一原版(Carleton毕业证书)加拿大卡尔顿大学毕业证如何办理
一比一原版(Carleton毕业证书)加拿大卡尔顿大学毕业证如何办理e9733fc35af6
 
Philippine FIRE CODE REVIEWER for Architecture Board Exam Takers
Philippine FIRE CODE REVIEWER for Architecture Board Exam TakersPhilippine FIRE CODE REVIEWER for Architecture Board Exam Takers
Philippine FIRE CODE REVIEWER for Architecture Board Exam TakersJillianAsdala
 
Who is Spencer McDaniel? And Does He Actually Exist?
Who is Spencer McDaniel? And Does He Actually Exist?Who is Spencer McDaniel? And Does He Actually Exist?
Who is Spencer McDaniel? And Does He Actually Exist?Abdul-Hakim Shabazz
 
一比一原版(IC毕业证书)帝国理工学院毕业证如何办理
一比一原版(IC毕业证书)帝国理工学院毕业证如何办理一比一原版(IC毕业证书)帝国理工学院毕业证如何办理
一比一原版(IC毕业证书)帝国理工学院毕业证如何办理Fir La
 
Hely-Hutchinson v. Brayhead Ltd .pdf
Hely-Hutchinson v. Brayhead Ltd .pdfHely-Hutchinson v. Brayhead Ltd .pdf
Hely-Hutchinson v. Brayhead Ltd .pdfBritto Valan
 
一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理
一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理
一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理Airst S
 
Interpretation of statute topics for project
Interpretation of statute topics for projectInterpretation of statute topics for project
Interpretation of statute topics for projectVarshRR
 
一比一原版伦敦南岸大学毕业证如何办理
一比一原版伦敦南岸大学毕业证如何办理一比一原版伦敦南岸大学毕业证如何办理
一比一原版伦敦南岸大学毕业证如何办理Airst S
 
Sangyun Lee, Duplicate Powers in the Criminal Referral Process and the Overla...
Sangyun Lee, Duplicate Powers in the Criminal Referral Process and the Overla...Sangyun Lee, Duplicate Powers in the Criminal Referral Process and the Overla...
Sangyun Lee, Duplicate Powers in the Criminal Referral Process and the Overla...Sangyun Lee
 
Career As Legal Reporters for Law Students
Career As Legal Reporters for Law StudentsCareer As Legal Reporters for Law Students
Career As Legal Reporters for Law StudentsNilendra Kumar
 
Smarp Snapshot 210 -- Google's Social Media Ad Fraud & Disinformation Strategy
Smarp Snapshot 210 -- Google's Social Media Ad Fraud & Disinformation StrategySmarp Snapshot 210 -- Google's Social Media Ad Fraud & Disinformation Strategy
Smarp Snapshot 210 -- Google's Social Media Ad Fraud & Disinformation StrategyJong Hyuk Choi
 
一比一原版埃克塞特大学毕业证如何办理
一比一原版埃克塞特大学毕业证如何办理一比一原版埃克塞特大学毕业证如何办理
一比一原版埃克塞特大学毕业证如何办理Airst S
 
Code_Ethics of_Mechanical_Engineering.ppt
Code_Ethics of_Mechanical_Engineering.pptCode_Ethics of_Mechanical_Engineering.ppt
Code_Ethics of_Mechanical_Engineering.pptJosephCanama
 
Navigating Employment Law - Term Project.pptx
Navigating Employment Law - Term Project.pptxNavigating Employment Law - Term Project.pptx
Navigating Employment Law - Term Project.pptxelysemiller87
 

Último (20)

Analysis of R V Kelkar's Criminal Procedure Code ppt- chapter 1 .pptx
Analysis of R V Kelkar's Criminal Procedure Code ppt- chapter 1 .pptxAnalysis of R V Kelkar's Criminal Procedure Code ppt- chapter 1 .pptx
Analysis of R V Kelkar's Criminal Procedure Code ppt- chapter 1 .pptx
 
Understanding the Role of Labor Unions and Collective Bargaining
Understanding the Role of Labor Unions and Collective BargainingUnderstanding the Role of Labor Unions and Collective Bargaining
Understanding the Role of Labor Unions and Collective Bargaining
 
一比一原版(CQU毕业证书)中央昆士兰大学毕业证如何办理
一比一原版(CQU毕业证书)中央昆士兰大学毕业证如何办理一比一原版(CQU毕业证书)中央昆士兰大学毕业证如何办理
一比一原版(CQU毕业证书)中央昆士兰大学毕业证如何办理
 
Elective Course on Forensic Science in Law
Elective Course on Forensic Science in LawElective Course on Forensic Science in Law
Elective Course on Forensic Science in Law
 
一比一原版(Monash毕业证书)澳洲莫纳什大学毕业证如何办理
一比一原版(Monash毕业证书)澳洲莫纳什大学毕业证如何办理一比一原版(Monash毕业证书)澳洲莫纳什大学毕业证如何办理
一比一原版(Monash毕业证书)澳洲莫纳什大学毕业证如何办理
 
一比一原版赫尔大学毕业证如何办理
一比一原版赫尔大学毕业证如何办理一比一原版赫尔大学毕业证如何办理
一比一原版赫尔大学毕业证如何办理
 
一比一原版(Carleton毕业证书)加拿大卡尔顿大学毕业证如何办理
一比一原版(Carleton毕业证书)加拿大卡尔顿大学毕业证如何办理一比一原版(Carleton毕业证书)加拿大卡尔顿大学毕业证如何办理
一比一原版(Carleton毕业证书)加拿大卡尔顿大学毕业证如何办理
 
Philippine FIRE CODE REVIEWER for Architecture Board Exam Takers
Philippine FIRE CODE REVIEWER for Architecture Board Exam TakersPhilippine FIRE CODE REVIEWER for Architecture Board Exam Takers
Philippine FIRE CODE REVIEWER for Architecture Board Exam Takers
 
Who is Spencer McDaniel? And Does He Actually Exist?
Who is Spencer McDaniel? And Does He Actually Exist?Who is Spencer McDaniel? And Does He Actually Exist?
Who is Spencer McDaniel? And Does He Actually Exist?
 
一比一原版(IC毕业证书)帝国理工学院毕业证如何办理
一比一原版(IC毕业证书)帝国理工学院毕业证如何办理一比一原版(IC毕业证书)帝国理工学院毕业证如何办理
一比一原版(IC毕业证书)帝国理工学院毕业证如何办理
 
Hely-Hutchinson v. Brayhead Ltd .pdf
Hely-Hutchinson v. Brayhead Ltd .pdfHely-Hutchinson v. Brayhead Ltd .pdf
Hely-Hutchinson v. Brayhead Ltd .pdf
 
一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理
一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理
一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理
 
Interpretation of statute topics for project
Interpretation of statute topics for projectInterpretation of statute topics for project
Interpretation of statute topics for project
 
一比一原版伦敦南岸大学毕业证如何办理
一比一原版伦敦南岸大学毕业证如何办理一比一原版伦敦南岸大学毕业证如何办理
一比一原版伦敦南岸大学毕业证如何办理
 
Sangyun Lee, Duplicate Powers in the Criminal Referral Process and the Overla...
Sangyun Lee, Duplicate Powers in the Criminal Referral Process and the Overla...Sangyun Lee, Duplicate Powers in the Criminal Referral Process and the Overla...
Sangyun Lee, Duplicate Powers in the Criminal Referral Process and the Overla...
 
Career As Legal Reporters for Law Students
Career As Legal Reporters for Law StudentsCareer As Legal Reporters for Law Students
Career As Legal Reporters for Law Students
 
Smarp Snapshot 210 -- Google's Social Media Ad Fraud & Disinformation Strategy
Smarp Snapshot 210 -- Google's Social Media Ad Fraud & Disinformation StrategySmarp Snapshot 210 -- Google's Social Media Ad Fraud & Disinformation Strategy
Smarp Snapshot 210 -- Google's Social Media Ad Fraud & Disinformation Strategy
 
一比一原版埃克塞特大学毕业证如何办理
一比一原版埃克塞特大学毕业证如何办理一比一原版埃克塞特大学毕业证如何办理
一比一原版埃克塞特大学毕业证如何办理
 
Code_Ethics of_Mechanical_Engineering.ppt
Code_Ethics of_Mechanical_Engineering.pptCode_Ethics of_Mechanical_Engineering.ppt
Code_Ethics of_Mechanical_Engineering.ppt
 
Navigating Employment Law - Term Project.pptx
Navigating Employment Law - Term Project.pptxNavigating Employment Law - Term Project.pptx
Navigating Employment Law - Term Project.pptx
 

New York Department of Financial Services Cybersecurity Regulations

  • 1. Cybersecurity Regulations Getting in Shape: New York Department of Financial Services Bill Belcher VP Americas, Boldon James Shawn Tuma Cybersecurity & Data Privacy Attorney, Scheef & Stone General Counsel, Cyber Future Foundation
  • 2. “Security and IT protect companies’ data; Legal protects companies from their data.” -Shawn Tuma
  • 3. “Classification is the foundation for all data security, including DLP. Without data classification in play, it’s impossible to know what data to protect.” -Boldon James
  • 4. Introduction • Cybersecurity threat is ubiquitous. • New York is a major international financial hub. • New York Department of Financial Services (DFS) • Developed Proposed Cybersecurity Requirements for Financial Services Companies. • Released for comment on September 13, 2016 • Effective date 1/1/17; enforcement date 7/1/17) • Comments resulted in substantial revision • Revised Cybersecurity Requirements for Financial Services Companies (Cybersecurity Regulations) • Released final on December 28, 2016 • Effective date 3/1/17; enforcement date 8/28/17 • 23 NYCRR 500 • Exemption MechanismNEW YORK DEPARTMENT OF FINANCIAL SERVICES CYBERSECURITY REGULATIONS
  • 5. Key dates for Covered Entities March 1, 2017 Law becomes effective August 28, 2017 Must be in compliance September 27, 2017 Deadline for filing Notices of Exemption under 23 NYCRR 500.19(e) February 15, 2018 Deadline for Covered Entities to submit first certification under 23 NYCRR 500.17(b) March 1, 2018 One year transition period ends, must be in compliance with sections 500.04(b), 500.05, 500.09, 500.12, and 500.14(b) September 3, 2018 Eighteen month transition period ends, must be in compliance with sections 500.06, 500.08, 500.13, 500.14(a), and 500.15 March 1, 2019 Two year transition period ends, must be in compliance with section 500.11 NEW YORK DEPARTMENT OF FINANCIAL SERVICES CYBERSECURITY REGULATIONS
  • 6. Which businesses are impacted? • The Cybersecurity Regulations can impact businesses globally, even if they do not do business in New York. • Apply directly to any Covered Entity. • Apply indirectly to Third Party Service Provider(s) of the Covered Entity, through requirements on the Covered Entity to do business with the Third Party Service Provider. NEW YORK DEPARTMENT OF FINANCIAL SERVICES CYBERSECURITY REGULATIONS
  • 7. Which businesses are impacted? • Covered Entity means any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking law, the Insurance Law or the Financial Services Law. • Person is any non-governmental entity. • Covered Entities include these doing business in NY: • Banks and trust companies • Credit unions • Foreign bank branches • Licensed lenders • Health insurers • Life insurance companies • Property and casualty • Insurance companies • Licensed agents & brokers • Savings and loan associations • Bail bond agents • Budget planners • Charitable foundations • Check cashers • Holding companies • Investment companies • Money transmitters • New York State Regulated Corporations • Service Contract Providers (198 on website lookup) NEW YORK DEPARTMENT OF FINANCIAL SERVICES CYBERSECURITY REGULATIONS
  • 8. Which businesses are impacted? Exemptions – These Covered Entities are exempt from all, or designated parts of Cybersecurity Regulations, but must file for exemption: • Exemption from certain sections is available to Covered Entities with: • Fewer than 10 employees, including independent contractors, of the CE or its Affiliates located in NY or responsible for business of the CE; • Less than $5,000,000 in gross annual revenue in each of the last three fiscal years from New York business operations of the CE and its Affiliates; or • Less than $10,000,000 in year-end total assets, calculated in accordance with generally accepted accounting principles, including assets of all Affiliates. • An employee, agent, representative or designee of a CE covered under its cybersecurity program. • A CE that has no Information System or Nonpublic Information and is not required to, exempt from certain sections. • Additional discrete exemptions. NEW YORK DEPARTMENT OF FINANCIAL SERVICES CYBERSECURITY REGULATIONS
  • 9. Which businesses are impacted? • Third Party Service Provider(s) means “a Person that (i) is not an Affiliate of the Covered Entity, (ii) provides services to the Covered Entity, and (iii) maintains, processes or otherwise is permitted access to Nonpublic Information through its provision of services to the Covered Entity. • Nonpublic Information is all electronic information that is not publicly available and is sensitive business information of the Covered Entity, sensitive identifying information of an individual, or health care related information of an individual. • Section 500.11 requires a Covered Entity to ensure its Information Systems and Nonpublic Information are secured when accessed by or entrusted to TPSPs by risk assessments, written policies and procedures, contractual protections, representations and warranties, due diligence, and periodic assessments of the TPSP for adequacy. NEW YORK DEPARTMENT OF FINANCIAL SERVICES CYBERSECURITY REGULATIONS
  • 10. Key Defined Terms • Cybersecurity Event means any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an Information System or information stored on such Information System. • Information System means a discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of electronic information, as well as any specialized system such as industrial/process control systems, telephone switching and private branch exchange systems, and environmental control systems. • Nonpublic Information is all electronic information that is not publicly available and is sensitive business information of the Covered Entity, sensitive identifying information of an individual, or health care related information of an individual. • Third Party Service Provider(s) means “a Person that (i) is not an Affiliate of the Covered Entity, (ii) provides services to the Covered Entity, and (iii) maintains, processes or otherwise is permitted access to Nonpublic Information through its provision of services to the Covered Entity.NEW YORK DEPARTMENT OF FINANCIAL SERVICES CYBERSECURITY REGULATIONS
  • 11. What do the Cybersecurity Regulations require, generally? They provide an outline of essential minimum standards, designate who should lead the process, and mandate top down buy-in by management and the Board of Directors: 1. Each Covered Entity must assess its unique risk profile and design a program that addresses its risks in a robust fashion. 2. Each Covered Entity must designate a qualified individual to serve as its Chief Information Security Officer responsible for overseeing and implementing its cybersecurity program. 3. Each Covered Entity’s senior management must be responsible for its cybersecurity program and file an annual certification confirming compliance with the Cybersecurity Regulations. NEW YORK DEPARTMENT OF FINANCIAL SERVICES CYBERSECURITY REGULATIONS
  • 12. Cybersecurity Program Section 500.02 “Each Covered Entity shall maintain a cybersecurity program designed to protect the confidentiality, integrity and availability of the Covered Entity’s Information Systems.” • Shall be based on its Risk Assessment and designed to perform these core functions: • Identify and assess internal and external risks; • Use defensive infrastructure and policies and procedures to protect IS and NPI from unauthorized access, use, or malicious acts; • Detect Cybersecurity Events; • Respond to identified or detected Cybersecurity Events and mitigate negative effects; • Recover from Cybersecurity Events and restore normal operations and services; and • Fulfill applicable regulatory reporting obligations. • Keep documentation; May adopt Affiliate’s CP.NEW YORK DEPARTMENT OF FINANCIAL SERVICES CYBERSECURITY REGULATIONS
  • 13. Cybersecurity Policy Section 500.03 “Each Covered Entity shall implement and maintain a written policy or policies, approved by a Senior Officer or the Covered Entity’s board of directors … setting forth the Covered Entity’s policies and procedures for the protection of its” IS and NPI. • Shall be based on its Risk Assessment and address these areas, as applicable: • Information security • Data governance and classification • Asset inventory and device management • Access controls and identity management • Business continuity and disaster recovery planning and resources • Systems operations and availability concerns • Systems and network security • Systems and network monitoring • Systems and application development and quality assurance • Physical security and environmental controls • Customer data privacy • Vendor and Third Party Service Provider management • Risk assessment; and • Incident response NEW YORK DEPARTMENT OF FINANCIAL SERVICES CYBERSECURITY REGULATIONS
  • 14. Chief Information Security Officer Section 500.04 “Each Covered Entity shall designate a qualified individual responsible for overseeing and implementing the Covered Entity’s cybersecurity program and enforcing its cybersecurity policy….” • CISO may be employee of CE or Affiliate, or • May use Third Party Service Provider, but CE shall • Retain responsibility for compliance; designate senior member of CE’s personnel responsible for direction and oversight; and Require Third Party Service Provider to maintain compliant Cybersecurity Program. The CISO shall report in writing at least annually to the CE’s board of directors (or equivalent) on CE’s cybersecurity program and material cybersecurity risks, considering as applicable: • The confidentiality of NPI, integrity and security of IS; • CE’s cybersecurity policies and procedures; • CE’s material cybersecurity risks; • Overall effectiveness of the CE’s cybersecurity program; and • Material Cybersecurity Events involving the CE.NEW YORK DEPARTMENT OF FINANCIAL SERVICES CYBERSECURITY REGULATIONS
  • 15. Penetration Testing and Vulnerability Assessments Section 500.05 “The cybersecurity program for each Covered Entity shall include monitoring and testing, developed in accordance with the Covered Entity’s Risk Assessment, designed to access the effectiveness of the Covered Entity’s cybersecurity program.” Monitoring and testing shall include • Continuous monitoring (or equivalent to detect ongoing changes to IS), or • Periodic Penetration Testing and vulnerability assessments, as well as: • Annual Penetration Testing based on Risk Assessment; and • Bi-annual vulnerability assessments that include systemic scans or reviews to identify publicly known vulnerabilities, based on the Risk Assessment. NEW YORK DEPARTMENT OF FINANCIAL SERVICES CYBERSECURITY REGULATIONS
  • 16. Audit Trail Section 500.06 Covered Entities shall maintain systems that: • Are designed to reconstruct material financial transactions sufficient to support normal operations and obligations of the CE; and • Maintain these for 5 years. • Include audit trails designed to detect and respond to material Cybersecurity Events. • Maintain these for 3 years. NEW YORK DEPARTMENT OF FINANCIAL SERVICES CYBERSECURITY REGULATIONS
  • 17. Access Privileges Section 500.07 Covered Entity’s cybersecurity program shall limit user access privileges to IS that provide access to NPI and shall periodically review such access privileges. NEW YORK DEPARTMENT OF FINANCIAL SERVICES CYBERSECURITY REGULATIONS
  • 18. Application Security Section 500.08 Covered Entity’s cybersecurity program shall include, • Written procedures, guidelines and standards to ensure the use of secure development practices for in-house developed applications utilized by the CE; and • Procedures for evaluating, assessing or testing the security of externally developed applications utilized by the CE in its technology environment. • All such procedures, guidelines and standards shall be periodically reviewed, assessed and updated by the CISO. NEW YORK DEPARTMENT OF FINANCIAL SERVICES CYBERSECURITY REGULATIONS
  • 19. Risk Assessment Section 500.09 “Each Covered Entity shall conduct a periodic Risk Assessment of the Covered Entity’s Information Systems sufficient to inform the design of the cybersecurity program ….” Shall … • Update as reasonably necessary to address changes in its IS, NPI, or business operations. • Allow for revision of controls to respond to technological developments and evolving threats and consider particular risks of CE’s business operations, NPI collected or stored, IS utilized, and effectiveness of controls to protect NPI / IS. • Carry out in accordance with written policies and procedures and be documented, including: • Criteria for evaluation and categorization of identified cybersecurity risks or threats facing CE; • Criteria for assessing the confidentiality, integrity, security, and availability of IS / NPI, adequacy of existing controls concerning identified risks; and • Describe how identified risks will be mitigated or accepted based on the Risk Assessment and how the cybersecurity program will address the risks. NEW YORK DEPARTMENT OF FINANCIAL SERVICES CYBERSECURITY REGULATIONS
  • 20. Cybersecurity Personnel and Intelligence Section 500.10 In addition to CISO, CEs shall • Have qualified cybersecurity personnel to manage its cybersecurity risks, perform services or oversee performance of cybersecurity program; • Provide cybersecurity personnel with appropriate updates and training; and • Verify that key cybersecurity personnel take steps to maintain current knowledge of changing cybersecurity threats and countermeasures. • CE may use Affiliate or TPSP for this. NEW YORK DEPARTMENT OF FINANCIAL SERVICES CYBERSECURITY REGULATIONS
  • 21. Third Party Service Provider Security Policy Section 500.11 “Each Covered Entity shall implement written policies and procedures designed to ensure the security of Information Systems and Nonpublic Information that are accessible to, or held by, Third Party Service Providers.” • P&P should be based on CE’s Risk Assessment and address the following, as applicable: • The identification and risk assessment of TPSPs; • Minimum CP required by TPSP to do business with CE; • Due diligence process used to evaluate the adequacy of CP by such TPSP; • Periodic assessment of such TPSP based on risk they present and continued adequacy of their CP. • P&P shall include relevant guidelines for due diligence and/or contractual protections relating to TPSP and applicable guidelines addressing: • TPSP’s P&P for access controls and MFA to IS / NPI • TPSP’s P&P for use of encryption in transit and at rest; • Notice to be provided to CE for Cybersecurity Event; and • Reps and warranties addressing TPSP’s cybersecurity P&PNEW YORK DEPARTMENT OF FINANCIAL SERVICES CYBERSECURITY REGULATIONS
  • 22. Multi-Factor Authentication Section 500.12 • Based on its Risk Assessment, CE shall use effective controls, which may include MFA or Risk-Based Authentication, to protect against unauthorized access to NPI or IS. • MFA shall be utilized for any individual accessing the CE’s internal networks from an external network, unless CE’s CISO has approved in writing the use of reasonably equivalent or more secure access controls. NEW YORK DEPARTMENT OF FINANCIAL SERVICES CYBERSECURITY REGULATIONS
  • 23. Limitations on Data Retention Section 500.13 • As part of its cybersecurity program, each CE shall include policies and procedures for the secure disposal on a periodic basis of any NPI no longer needed, • Unless such NPI is required to be retained or targeted disposal is not reasonably feasible. NEW YORK DEPARTMENT OF FINANCIAL SERVICES CYBERSECURITY REGULATIONS
  • 24. Training and Monitoring Section 500.14 As part of its cybersecurity program, CEs shall: • “implement risk-based policies, procedures and controls designed to monitor the activity of Authorized Users and detect unauthorized access or use of, or tampering with, Nonpublic Information by such Authorized Users;” and • “provide regular cybersecurity awareness training for all personnel that is updated to reflect risks identified by the Covered Entity in its Risk Assessment.” NEW YORK DEPARTMENT OF FINANCIAL SERVICES CYBERSECURITY REGULATIONS
  • 25. Encryption of Nonpublic Information Section 500.15 As part of its cybersecurity program, based on its Risk Assessment, CEs shall implement controls, including encryption, to protect NPI held or transmitted by the CE both in transit over external networks and at rest. • CE may use effective alternate compensating controls reviewed and approved by its CISO if it determines it is infeasible to use, • Encryption of NPI in transit over external networks; or • Encryption of NPI at rest. • CISO must review this feasibility determination at least annually. NEW YORK DEPARTMENT OF FINANCIAL SERVICES CYBERSECURITY REGULATIONS
  • 26. Incident Response Plan Section 500.16 As part of its cybersecurity program, CE shall establish a written incident response plan designed to promptly respond to, and recover from, any material Cybersecurity Event. • It shall address: • Internal processes for responding; • Goals of the IRP; • Definition of clear roles, responsibilities and levels of decision-making authority; • External and internal communications and information sharing; • Identification of requirements for the remediation of any identified weaknesses in the IS and associated controls; • Documentation and reporting regarding Cybersecurity Events and related incident response activities; and • Evaluation and revision of IRP following a Cybersecurity Event. NEW YORK DEPARTMENT OF FINANCIAL SERVICES CYBERSECURITY REGULATIONS
  • 27. Notices to Superintendent Section 500.17 2 types of Notices are required: • Event notification: CE shall notify the superintendent as promptly as possible but in no event later than 72 hours from a determination that a Cybersecurity Event has occurred that either: • Impacts the CE and require notice to be provided to any government body, self-regulatory agency, or any other supervisory body; or • Has a reasonable likelihood of materially harming any material part of the CE’s normal operations. • Annual reporting: On February 15 of each year, CE shall provide the written statement (App. A) for the prior year certifying compliance with these Regulations: • Signed by Senior Officer or Chairman of Board; • Maintain for 5 years for examination, all records, schedules and data supporting certification; • Where deficiencies identified requiring improvement, shall document current and future efforts to remediate. NEW YORK DEPARTMENT OF FINANCIAL SERVICES CYBERSECURITY REGULATIONS
  • 28. Enforcement Section 500.20 “This regulation will be enforced by the superintendent pursuant to, and is not intended to limit, the superintendent’s authority under any applicable laws.” The New York Department of Financial Services has very broad authority to investigate civil matters and, through its Criminal Investigations Bureau, criminal matters as well. NEW YORK DEPARTMENT OF FINANCIAL SERVICES CYBERSECURITY REGULATIONS
  • 29. FAQ’s Frequently Asked Questions: http://www.dfs.ny.gov/about/cybersecurity_faqs.htm NEW YORK DEPARTMENT OF FINANCIAL SERVICES CYBERSECURITY REGULATIONS