CYBERSECURITY REQUIREMENTS FOR FINANCIAL SERVICES COMPANIES 23 NYCRR 500
23 NYCRR 500
CYBERSECURITY REQUIREMENTS FOR FINANCIAL SERVICES COMPANIES
NEW YORK STATE
DEPARTMENT OF FINANCIAL SERVICES
PROPOSED
“Section 500.03 Cybersecurity Policy.
(a) Cybersecurity Policy. Each Covered Entity shall implement and maintain a written cybersecurity policy setting forth the Covered Entity’s policies and procedures for the protection of its Information Systems and Nonpublic Information stored on those Information Systems. The cybersecurity policy shall address, at a minimum, the following areas:
(1) information security;
(2) data governance and classification;
(3) access controls and identity management;
(4) business continuity and disaster recovery planning and resources;
(5) capacity and performance planning;
(6) systems operations and availability concerns;
(7) systems and network security;
(8) systems and network monitoring;
(9) systems and application development and quality assurance;
(10) physical security and environmental controls;
(11) customer data privacy;
(12) vendor and third-party service provider management;
(13) risk assessment; and
(14) incident response
Section 500.20 Effective Date. This part will be effective January 1, 2017. Covered Entities will be required to annually prepare and submit to the superintendent a Certification of Compliance with New York State Department of Financial Services Cybersecurity Regulations under Section 500.17 commencing January 15, 2018 …”