2 years ago

Category: Software, Security, encryption

Learn about new features, changes, and improvements to UpGuard: The NYDFS Cybersecurity Regulation (23 NYCRR 500) is a set of regulations from the New York State Department of Financial Services (NYDFS) that places cybersecurity requirements on all Covered Entities (financial institutions and financial services companies). On February 16, 2017, The NYDFS Cybersecurity Regulation was released after two rounds of industry and public feedback, including a phased implementation process with four distinct phases to give organizations time to implement more robust policies and controls.

As the NYDFS Cybersecurity Regulation is in full effect, organizations need to comply with all practices outline above, including appointing a CISO, doing period risk assessments, maintaining a cybersecurity program that aligns with the NIST Cybersecurity Framework, as well as investing in third-party risk and fourth-party risk management programs.

In evaluating Covered Entities, DFS is unequivocal that "Risk Assessment is not intended to permit a cost-benefit analysis of acceptable losses where an institution is faced with cybersecurity risks.”

In spite of concerns that certain definitions were too broad and could be overly burdensome to comply with, DFS chose to retain some in their present form - Cybersecurity Event, Information System, Publicly Available Information - while Nonpublic Information and Risk Assessment were altered and added.