The New York State Department of Financial Services has stipulated 17 separate Cybersecurity regulations which apply to all covered entities under its jurisdiction. The purpose of the regulations are to enhance data security, and to prepare for and prevent cybersecurity attacks against financial institutions that hold confidential non-public or customer information otherwise known as PII. Delaney Computer Services has compiled a list of covered entities and their respective requirements under §500 of the law. In addition to the list of requirements there is a list of deadline dates for each of the requirements.
In the event that you fall under and are claiming limited exemption status under §500.19 this list marks eight of seventeen specific cybersecurity regulations that you still are required to adhere to with their respective dates. DCS has also seen a lot of confusion with respect to Exempt vs. Limited Exemption and it is important for covered entities to understand that limited exemption means limited and you still must comply with specific regulations under 23 NYCRR Part 500 including respective deadline dates of compliance which still need to be implemented and adhered to.
Please Note that this is not in Date Order but in order by Section of Law
§Section | §500.19 | Regulation | Deadline |
---|---|---|---|
§500.2 | Required | Cybersecurity Program to be maintained | 3/1/2017 |
§500.3 | Required | Written Cybersecurity Policy Approved by Senior Officer or board; may be affiliate program | 3/1/2017 |
§500.4 | Exempt | Chief Information Security Officer Must Be Appointed; Can be Affiliate or Outside Contractor | 3/1/2018 |
§500.5 | Exempt | Penetration testing or Continuous Monitoring | 3/1/2018 |
§500.6 | Exempt | Audit Trail: maintain financial and other information for two to five years | 9/1/2018 |
§500.7 | Required | Limit and Review Access Privileges to PII | 3/1/2017 |
§500.8 | Exempt | Application Security: Written Procedures for In-house Applications | 9/1/2018 |
§500.9 | Required | Periodic Risk Assessments in accordance with written policies | 3/1/2018 |
§500.10 | Exempt | Use, Hiring and training of Qualified Cyber Security Personnel | 3/1/2017 |
§500.11 | Required | Third Party Providers: Written Policy and Procedure | 3/1/2019 |
§500.12 | Exempt | Multi Factor Authentication for accessing data from an external network | 3/1/2018 |
§500.13 | Required | Limitations on Data Retention: can’t maintain unnecessary data | 9/1/2018 |
§500.14 (a) | Exempt | Implement risk-based policies, procedures and controls designed to monitor and detect unauthorized access to information systems | 9/1/2018 |
§500.14 (b) | Exempt | Provide regular cybersecurity awareness training for all personnel that is updated to reflect pertinent risks identified during the risk assessment | 3/1/2018 |
§500.15 | Exempt | Encryption of all Non-Public Information | 9/1/2018 |
§500.16 | Exempt | Establish a written incident response plan for cybersecurity events and incidents | 3/1/2017 |
§500.17 | Required | Notice to Superintendent of cybersecurity Events | 3/1/2017 |
§500.18 | Required | Maintain Confidentiality of Non-Public Information | 3/1/2017 |