New York’s DFS Cybersecurity Regulations in a Nutshell

Published by guest-writer on March 21, 2017

WHAT YOU NEED TO KNOW ABOUT THE new DFS Cybersecurity Regulations

In summary, the law requires all business institutions to prove that they have:

Established a Cybersecurity Program
Adopted relevant Cybersecurity Policies and Procedures
Hired and empowered a Chief Information Security Officer
Implemented governance measures for Cybersecurity risks of Third-Party Service Providers, Partners, and Customers

The legislation is effective as of March 1st, 2017, and compliance is mandatory within 180 days. The New York State has issued a list of frequently asked questions (FAQs) around compliance and exceptions.

For companies it basically says, “make sure your vendors are secure, that they securely access your data, and that their third parties and vendors are compliant, too.” Managing your vendors is a challenge, fourth party management is an even bigger hurdle to overcome if you look at the current landscape and available solutions.

New York’s DFS Cybersecurity Regulations in a Nutshell

WHAT DOES THIS MEAN FOR YOUR VENDOR RISK MANAGEMENT PROGRAM?

We at ThirdPartyTrust are singularly focused on third party risk management. As such, let us highlight what this means for your vendor risk management program.

You will be required to:

Perform a thorough risk assessment of third party service providers; and
Assess minimum security expectations and requirements of third parties; and
Perform due diligence that your third parties and their third parties are following requirements; and
Perform periodic security assessments of third parties; and
Use multi-factor authorization for third parties; and
Use encryption in transit and at rest; and
Require third parties to notify your company of real or suspected security issues.

Ultimately, the use of third-parties suppliers and outsourcing will not absolve organizations of responsibility for that risk nor will it allow deflection of a security breach to the outsourced entity. Violations can be assessed as “willful misuse” carrying fines of $50,000 or more per instance.

WHAT’S NEXT?

For many companies, the process of gathering and managing third party risk profiles is laborious and time-intensive, with spreadsheets and file cabinets being the historical method of choice. Gleaning insights and patterns from this information is difficult, at best. However, there are tools and frameworks available to make this easier for organizations and their third party vendors.

Download Guide: Building a Scalable Third Party Risk Management Program

It’s clear that regulators are now requiring all companies to actively be apprised of their third-party entities’ cyber risk profiles and methods. Establishing a line of sight with each third-party entity’s Vendor Management and/or Compliance department is even more difficult. Similarly, establishing a formalized framework for the purpose of acquiring third-party cyber risk intelligence is extremely difficult

Regardless of the difficulty, the regulators will hold you accountable, and the penalties will carry hefty monetary fines (as well as adverse effects to your reputational and operational risk).

It is imperative that organizations implement a controllable, pragmatic risk management strategy. The most efficient strategy incorporates converged practices, collaboration, and relationship building at the third and fourth party levels. This strategy applies for domestic dependencies as well as global dependencies, where the challenge of managing third party security is compounded by distance, legal, and cultural variables.

To learn more about how ThirdPartyTrust can help you manage third-party risk, request your free trial now:

Trial Account Sign-Up

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.