March 1st DFS 23 NYCRR 500 Compliance Deadline Fast Approaching - What You Need to Know

March 1, 2018 is the next compliance deadline for the New York State Department of Financial Services' ("DFS") New York State Law 23 NYCRR 500 Cybersecurity Requirements for Financial Services Companies (“23 NYCRR 500”). Several key requirements, including a full-scale risk assessment and employee training, must be completed and implemented by this date.

By March 1, 2018, firms that meet the DFS 23 NYCRR 500 regulation's definition of "Covered Entity" must have the following cybersecurity measures in place:

• Risk Assessment – Requires your organization to complete a risk assessment to determine the level of protection required for cybersecurity and access to non-public information ("NPI").
   
• Multi-Factor Authentication – Requires that access to NPI be protected by multi-factor authentication if deemed reasonable by your risk assessment. Multi-factor authentication uses two or more authentication methods to confirm a user’s identification (for example, a combination of username/password plus a text message).
   
• CISO Report to Board of Directors – Requires your organization's named CISO to provide annual reports to your organization's Board of Directors or governing body.
   
• End User Training – Requires all end users in your organization to receive annual training on cybersecurity threats, vulnerabilities, and protections.
   
• Vulnerability Testing – Requires your organization to conduct ongoing vulnerability assessments to determine weaknesses in internal and external websites, servers, and endpoints.
   
• Penetration Testing – Requires periodic penetration testing be conducted against your organization’s systems and servers to determine and mitigate weaknesses and flaws.

Additional Resources

The following ACA resources are available to help your firm navigate the complexities of the DFS 23 NYCRR 500 regulation:

• New NYS DFS Cybersecurity Regulations: What You Need to Know - On demand webcast