illustrates the compliance timeline. This new
regulation includes cybersecurity requirements that
will likely affect all organizations in some way. Let’s
take a look at how we got here, who this applies
to, and the key requirements that may change the
cybersecurity programs within your company.
ENVIRONMENT AND NY DFS
For many years, regulatory requirements at the
federal level have been in place to provide appropriate guidance on protecting sensitive data within
the financial services industry, including mortgage
lending. While not specific on implementation,
protecting confidential consumer in-formation has
been promulgated with various laws for some time.
The Gramm-Leach-Bliley Act (GLBA) Safeguards Rule
is a prime example of this type of federal requirement.
Many states, for their part, have issued laws that
create a patch work of security breach notification
and re-porting rules. Perceived gridlock at the federal
level on cybersecurity regulation is prompting states
to look at issuing their own requirements. While
NY DFS is the first to do so, we will likely see similar
regulations from other states in future.
OF THE NY DFS
Part 500 applies to
Covered Entities that
operate under a license,
accreditation, or similar
Banking, Insurance, or
Financial Services Laws.
The regulation also
requires Covered Entities
to file a Certification
or Compliance by
February 15 of each year
beginning in 2018. This
annual filing is required
to attest to compli-ance
with applicable sections
of the regulation. The
scope of data covered in Part 500 is also de-fined
within the new regulation. “Nonpublic Information”
as defined in Part 500 includes not only individual
information similar to GLBA but also business
related information about your organization and
individual health care information in any form.
While this is not out of the or-dinary for information
generally included as part of an enterprise
cybersecurity program, the spe-cific definition
within this regulation is important to know. There
are provisions within Part 500 that may allow some
smaller organizations to file an exemption to the
regulation. Partnering with your legal department
on understanding this new regulation and how it
applies to your or-ganization is a key first step.
KEY ASPECTS OF THE REGULATION
For those in the security or cyber risk areas
within their respective organizations, the topics
cov-ered in Part 500 will be familiar, and many align
with standard industry practice designed to pro-tect
access to technology assets and sensitive data. It’s
worth reviewing some key sections of Part 500 and
consider them as you work toward compliance and
the 2018 filing deadline.
Risk Assessments: This is a key theme in Part ∆