For many years, Digital Edge has been building and operating Information Security Programs. We are certified by ISO (International Standard Organization) for our Information Security System. Now it is a requirement for all New York State financial companies to adopt one.
If you don’t have one, you should build one. If you don’t know how to, we can help.
To draw the line between Information Security Program and security technologies – it is not enough to have a firewall and an antivirus today. The regulators are requiring to build and maintain risk base cyber security practice designed to protect confidentiality, integrity and availability of information.
Technology is not enough. Organization have to show a systematic approach in their businesses to manage cyber security aspects.
The best way of handling such a challenge is to adopt one of well-known cyber security frameworks, such as ISO 27001, NIST Core, SOC2. However even partial adoption would cover DFS requirements.
Any financial companies should do following in the next 6 months:
1. Find out if you are regulated.
DFS supervise following financial institutions:
2. See if you are eligible for any of 5 possible exemptions.
There are 5 categories of exceptions:
|Exemption.Category.Type..||Exemption Category Type Description|
|Exemption Category 1||Small Covered Entities - (i) Covered Entities with fewer than 10 employees, including any independent contractors, of the Covered Entity or its Affiliates located in New York or responsible for business of the Covered Entity (Section 500.19(a)(1)); (ii) Covered Entities with less than $5,000,000 in gross annual revenue in each of the last three fiscal years from New York business operations of the Covered Entity and its Affiliates (Section 500.19(a)(2)); and (iii) Covered Entities with less than $10,000,000 in year-end total assets, calculated in accordance with generally accepted accounting principles, including assets of all Affiliates (Section 500.19(a)(3)).|
|Exemption Category 2||Employees, Agents, Representatives and Designees - Employees, agents, representatives or designees of a Covered Entity who are covered by the cybersecurity program of the Covered Entity (Section 500.19(b)).|
|Exemption Category 3||Covered Entities without Access to Information Systems or Nonpublic Information - Covered Entities that do not directly or indirectly operate, maintain, utilize or control any Information Systems, and that do not, and are not required to, directly or indirectly control, own, access, generate, receive or possess Nonpublic Information (Section 500.19(c)).|
|Exemption Category 4||Insurance Covered Entities without Access to Nonaffiliate Nonpublic Information - Covered Entities under Article 70 of the Insurance Law that do not and are not required to directly or indirectly control, own, access, generate, receive or possess Nonpublic Information other than information relating to its corporate parent company (or Affiliates) (Section 500.19(d)).|
|Exemption Category 5||Special Insurance Organizations and Certain Reinsurers - Persons subject to New York Insurance Law Section 1110; Persons subject to New York Insurance Law Section 5904; and any accredited reinsurer or certified reinsurer that has been accredited or certified pursuant to 11 NYCRR 125 (Section 500.19(f)).|
If you are exempt you have to:
- File a Cybersecurity Notices of Exemption. We can help you with this.
- Implement elements of the cycler security program that you are required to implement.
- Depending on your exemption category you will still need to build cyber security system.
Cybersecurity Program requirements are outlined in the following table:
|Requirement||No Exemption||Exemption Category 1||Exemption Category 2||Exemption Category 3||Exemption Category 4||Exemption Category 5|
|Section 500.02 Cybersecurity Program||APPLICABLE||APPLICABLE||EXEMPT||EXEMPT||EXEMPT||....EXEMPT....|
|Section 500.03 Cybersecurity Policy||APPLICABLE||APPLICABLE||EXEMPT||EXEMPT||EXEMPT||EXEMPT|
|Section 500.04 Chief Information Security Officer||APPLICABLE||EXEMPT||EXEMPT||EXEMPT||EXEMPT||EXEMPT|
|Section 500.05 Penetration Testing and Vulnerability Assessments||APPLICABLE||EXEMPT||EXEMPT||EXEMPT||EXEMPT||EXEMPT|
|Section 500.06 Audit Trail||APPLICABLE||EXEMPT||EXEMPT||EXEMPT||EXEMPT||EXEMPT|
|Section 500.07 Access Privileges||APPLICABLE||APPLICABLE||EXEMPT||EXEMPT||EXEMPT||EXEMPT|
|Section 500.08 Application Security||APPLICABLE||EXEMPT||EXEMPT||EXEMPT||EXEMPT||EXEMPT|
|Section 500.09 Risk Assessment||APPLICABLE||APPLICABLE||EXEMPT||APPLICABLE||APPLICABLE||EXEMPT|
|Section 500.10 Cybersecurity Personnel and Intelligence||APPLICABLE||EXEMPT||EXEMPT||EXEMPT||EXEMPT||EXEMPT|
Section 500.11 Third Party Service Provider Security Policy
|Section 500.12 Multi-Factor Authentication||APPLICABLE||EXEMPT||EXEMPT||EXEMPT||EXEMPT||EXEMPT|
|Section 500.13 Limitations on Data Retention||APPLICABLE||APPLICABLE||EXEMPT||APPLICABLE||APPLICABLE||EXEMPT|
|Section 500.14 Training and Monitoring||APPLICABLE||EXEMPT||EXEMPT||EXEMPT||EXEMPT||EXEMPT|
|Section 500.15 Encryption of Nonpublic Information||APPLICABLE||EXEMPT||EXEMPT||EXEMPT||EXEMPT||EXEMPT|
|Section 500.16 Incident Response Plan||APPLICABLE||EXEMPT||EXEMPT||EXEMPT||EXEMPT||EXEMPT|
|Section 500.17 Notices to Superintendent||APPLICABLE||APPLICABLE||EXEMPT||APPLICABLE||APPLICABLE||EXEMPT|
|Section 500.19 Notice of Exemption within 30 Days of Determination||APPLICABLE||APPLICABLE||APPLICABLE||APPLICABLE||APPLICABLE||EXEMPT|
3. By August 28, 2017, covered entities must be in compliance.
4. February 15, 2018, covered entities must submit first Certification of Compliance.
What Digital Edge can do for you:
- Fully or partially build and maintain your Cybersecurity Program.
- Be a part of your Cybersecurity Program saving you money.
- Consult on the implementation.
- Show you how to get into compliance virtually free.