cybersecurity regulation overview - protiviti · pdf filecybersecurity regulation overview ......
TRANSCRIPT
Internal Audit, Risk, Business & Technology Consulting
Regulation Background
The New York State Department of Financial Services (NYDFS or DFS) established a set of cybersecurity requirements,
effective March 2017, for financial services companies who are supervised by the NYDFS to address the heightened
risk of cyberattacks by nation-states, terrorist organizations and independent criminal actors. The regulation, Part
500 of Title 23 of the New York Code, aims to protect customer information as well as the information systems by
holding covered entities accountable for their cyber defense responsibilities.
Who Is Exempt from Part 500 Title 23?
• National banks or banks chartered in other states
• New York branches of non-New York
chartered banks
• Federal Credit Unions
• Broker-dealers
• Office of the Comptroller of the Currency (OCC)-
chartered branches and agencies of non-U.S. banks
• An affiliate of a Covered Entity that is not itself a
Covered Entity
Any person operating under or required to
operate under a license, registration, charter,
certificate, permit, accreditation or similar
authorization under the New York State
Banking Law, the Insurance Law or the
Financial Services Law. — NYDFS
What Is a Covered Entity?
Many financial services companies fall
under the Covered Entity definition —
even those that aren’t based in New York.
Refer to your compliance department or the NYDFS
website to understand the impact on your institution.
Who does the standard apply to?
Branches, Agencies or Offices of Non-US Banks
Credit Unions
Mortgage Brokers
Check Cashiers/Money Transmitters
Insurance Companies
Institutions with BitLicenses
Insured Depository Institutions
Trust Companies
Cybersecurity Regulation OverviewNew York Department of Financial Services 23 NYCRR 500
protiviti.com
How Protiviti Can Help
Protiviti has vast experience in assisting our financial services clients interpret, attest to and comply with
regulations. Our team includes leading industry regulation and cybersecurity experts and former regulators who
regularly produce thought leadership pieces. Protiviti’s Global Financial Services Industry (FSI) practice leverages
our experienced consulting team to deliver projects across multiple areas impacted by the NYDFS regulation:
NYDFS Cybersecurity Readiness: A readiness assessment by Protiviti can identify gaps in a Covered Entity’s
current state of compliance with NYDFS cybersecurity regulation, resulting in a road map to achieve compliance.
Risk Assessment Methodology or Execution: Protiviti can help an organization align or mature a Covered
Entity’s assessment methodology to NYDFS compliance or perform the assessment for the Covered Entity.
Remediation or Project Management: Protiviti can provide remediation, project management and other advisory
services for known areas of noncompliance.
Audit Outsource or Co-Source and/or Advisory Support: Protiviti can provide audit or co-source audit of
NYDFS cybersecurity controls or other audit advisory support.
Third-Party Review of Compliance Efforts: Protiviti can provide a third-party review or formal assessment of
internal efforts, projects, plans and road maps working toward NYDFS compliance.
Protiviti SME Spotlight
Adam Hamm is a managing director with Protiviti who has a deep knowledge of financial
services regulation and hands-on experience in all insurance supervision and policy-related
matters. Prior to joining Protiviti in January 2017, he was a former president of the National
Association of Insurance Commissioners (NAIC), chairman of the NAIC’s Cybersecurity
Task Force, principal on the Financial and Banking Information Infrastructure Committee
(FBIIC), principal on the United States Financial Stability Oversight Council (FSOC) and
North Dakota’s elected insurance commissioner.
Frequently Asked Questions (FAQs)
1. When should a Covered Entity report a breach?
2. Who is responsible for a Covered Entity’s cybersecurity program?
3. Are compensating controls for certain requirements permitted by the NYDFS?
4. Is the cybersecurity regulation a “one size fits all” model?
Protiviti Response
Covered Entities must report within 72 hours of a breach.
Covered Entities must appoint a chief information security officer (CISO) or a suitable equivalent.
If necessary and permitted, compensating controls must be reviewed and approved by the CISO on an annual basis.
A periodic risk assessment should inform the design of the cybersecurity program.
protiviti.com
ABOUT PROTIVITI
Protiviti is a global consulting firm that delivers deep expertise, objective insights, a tailored approach and unparalleled collaboration to help leaders confidently face the future. Protiviti and our independently owned Member Firms provide consulting solutions in finance, technology, operations, data, analytics, governance, risk and internal audit to our clients through our network of more than 70 offices in over 20 countries.
We have served more than 60 percent of Fortune 1000® and 35 percent of Fortune Global 500® companies. We also work with smaller, growing companies, including those looking to go public, as well as with government agencies. Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index.
Contacts
Adam HammManaging [email protected]
Scott LaliberteManaging [email protected]
Andrew RetrumManaging [email protected]
Cal SlempManaging [email protected]
August 28, 2017
(500.02) Cybersecurity Program
(500.03) Cybersecurity Policy
(500.04a) CISO
(500.07) Access Privileges
(500.10) Cyber Personnel & Intel
(500.16) Incident Response
(500.17) Notice to Superintendent
March 1, 2018
(500.04b) CISO
(500.05) Penetration Testing &
Vulnerability Management
(500.09) Risk Assessment
(500.12) Multi-Factor
Authentication (MFA)
(500.14b) Training
September 3, 2018
(500.06) Audit Trail
(500.08) Application Security
(500.13) Data Retention
(500.14a) Monitoring
(500.15) Encryption of Nonpublic
Information
March 1, 2019
(500.11) Third-Party Service
Provider Security Policy
NYDFS Cybersecurity Regulation Key Dates
Certification Submission Deadline Transition Period# Top Challenges of the Regulation
Issuance of NYDFS Cyber
Regulation
March 1, 2017
First Certification Submission
Date
Feb. 15, 2018
1
1 2 3
4
Requirement Transition
Date 1
Aug. 28, 2017
2
Requirement Transition
Date 2
March 1, 2018
Initial Exemption Reporting Deadline
Sep. 27, 2017
3
Requirement Transition
Date 3
Sep. 3, 2018
4
Two-Year Transition
Period Ends
March 1, 2019
Visit www.dfs.ny.gov/about/cybersecurity.htm and www.protiviti.com/cybersecurity-fs for more
details on the NYDFS Cybersecurity regulation.
© 2017 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. PRO-0917-104270 Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services.
THE AMERICAS UNITED STATES
Alexandria
Atlanta
Baltimore
Boston
Charlotte
Chicago
Cincinnati
Cleveland
Dallas
Fort Lauderdale
Houston
Indianapolis
Kansas City
Los Angeles
Milwaukee
Minneapolis
New York
Orlando
Philadelphia
Phoenix
Pittsburgh
Portland
Richmond
Sacramento
Salt Lake City
San Francisco
San Jose
Seattle
Stamford
St. Louis
Tampa
Washington, D.C.
Winchester
Woodbridge
ARGENTINA*
Buenos Aires
BRAZIL*
Rio de Janeiro Sao Paulo
CANADA
Kitchener-Waterloo Toronto
CHILE*
Santiago
MEXICO*
Mexico City
PERU*
Lima
VENEZUELA*
Caracas
EUROPE MIDDLE EAST AFRICA
FRANCE
Paris
GERMANY
Frankfurt
Munich
ITALY
Milan
Rome
Turin
NETHERLANDS
Amsterdam
UNITED KINGDOM
London
BAHRAIN*
Manama
KUWAIT*
Kuwait City
OMAN*
Muscat
QATAR*
Doha
SAUDI ARABIA*
Riyadh
SOUTH AFRICA*
Johannesburg
UNITED ARAB EMIRATES*
Abu Dhabi
Dubai
ASIA-PACIFIC CHINA
Beijing
Hong Kong
Shanghai
Shenzhen
JAPAN
Osaka
Tokyo
SINGAPORE
Singapore
INDIA*
Bangalore
Hyderabad
Kolkata
Mumbai
New Delhi
AUSTRALIA
Brisbane
Canberra
Melbourne
Sydney
*MEMBER FIRM
© 2
017
Proti
viti
Inc.
An
Equa
l Opp
ortu
nity
Em
ploy
er. M
/F/D
isab
ility
/Vet
. PRO
-041
7