This is a set of cybersecurity regulations from the NY Department of Financial Services (DFS) protecting both the financial services industry and its consumers.
The NYDFS applies to all entities operating or required to operate under DFS licensure, registration, charter or who are otherwise DFS-regulated, as well as their third-party vendors and service providers. They include:
Foreign banks licensed to operate in New York
However, exemptions can apply to relatively small organizations in terms of employees and income.
The framework has 23 sections. Organizations must also assess their risk profile and design a program that addresses its risks proactively and in a timely manner.
Compliance with the regulation is a four-phase implementation process:
Phase 1 – Fundamental Requirements. Implement and maintain a formal cybersecurity program and policy.
Phase 2 – Assessment, Awareness and Reporting. Regular testing, risk assessment, training and CISO reporting.
Phase 3 – Audit Trail, Procedures, Guidelines, and Controls. Maintain an audit trail to detect and respond to cybersecurity events.
Phase 4 – Third Party Policy. Covered entities and their third-party service providers are required to implement written policies and procedures
By February 15 of each year, each covered entity must submit a written statement of compliance covering the prior calendar year, to the Superintendent of DFS.
Centraleyes delivers streamlined, automated data collection and analysis, prioritized remediation guidance and real-time customized scoring to meet the NYDFS requirements. Centraleyes has mapped NYDFS back to its control inventory allowing to share data across multiple frameworks through the platform, which creates time savings, money savings and more accurate data. Through the Centraleyes platform organizations can gain full visibility to their cyber risk levels and compliance.