NY Security Mandate

The standard has fifteen requirements for covered entities (more than ten employees, more than $5M in gross annual revenue, or more than $10M in year-end assets):

  • A formal cybersecurity program.
  • Policies/Procedures/Standards governing the cybersecurity program.
  • An individual with the CSO/CISO title, and responsibility over the cybersecurity program.
  • Annual penetration testing, and bi-annual vulnerability scanning.
  • System and application monitoring and auditing controls (basically, a SIEM needs to be in-place).
  • A formal user access, authentication, and authorization process.
  • Multi-factor authentication.
  • A data retention policy and process.
  • An awareness training/education program.
  • Encryption of non-public information.
  • An Incident Response Plan.
  • An application security program.
  • Risk assessments of all information systems and applications.
  • A team of “qualified” people to manage the operational functions within the cybersecurity program, along with processes for security training for the team to keep them up-to-date on threats, risks, exploits, and trends within the industry.
  • A program to assess the security of third-party service providers, and ensure compliance of those providers to a standard set of requirements.

It also

  • Requires that New York State be notified within seventy-two hours if a “cybersecurity event” occurs.
  • Covered entities must be in compliance with these standards immediately, and, by February of 2018, submit a “Certificate of Compliance” certifying that they are meeting these requirements.
  • Applies to “…any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law” within the state of New York, which is a pretty wide swath of companies.
Tags: Compliance