The standard has fifteen requirements for covered entities (more than ten employees, more than $5M in gross annual revenue, or more than $10M in year-end assets):
- A formal cybersecurity program.
- Policies/Procedures/Standards governing the cybersecurity program.
- An individual with the CSO/CISO title, and responsibility over the cybersecurity program.
- Annual penetration testing, and bi-annual vulnerability scanning.
- System and application monitoring and auditing controls (basically, a SIEM needs to be in-place).
- A formal user access, authentication, and authorization process.
- Multi-factor authentication.
- A data retention policy and process.
- An awareness training/education program.
- Encryption of non-public information.
- An Incident Response Plan.
- An application security program.
- Risk assessments of all information systems and applications.
- A team of “qualified” people to manage the operational functions within the cybersecurity program, along with processes for security training for the team to keep them up-to-date on threats, risks, exploits, and trends within the industry.
- A program to assess the security of third-party service providers, and ensure compliance of those providers to a standard set of requirements.
- Requires that New York State be notified within seventy-two hours if a “cybersecurity event” occurs.
- Covered entities must be in compliance with these standards immediately, and, by February of 2018, submit a “Certificate of Compliance” certifying that they are meeting these requirements.
- Applies to “…any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law” within the state of New York, which is a pretty wide swath of companies.