NY State DFS - Cyber Security Requirements for Financial Services

New York State Department of Financial Services has released its proposed Cyber Security requirements for Financial Services. It is applicable to any entity that is operating under or required to operate under a license, registration, charter, certificate, permit, accreditation under the Banking law, Insurance law or the Financial Services law. Its open for public comments until Nov 14' 2016.

DFS believes the purpose of this law is to ensure Financial Services businesses operating under its jurisdiction, have robust cyber security measures in place. These requirements are not in conflict with Gramm-Leach-Bliley Act, and are put forth to address, improve and include institutions that currently do not fall under GLB. DFS has proposed some limited exemptions to small business operating with less than $5M in gross annual revenue.

DFS requires that Top Management/Board of Directors/Executive Board or equivalent should review the business's Cyber Security Program, Policy and Incident Response Policy and ensure that they understand Cyber Risk.

Some Financial Institutions that are regulated under SEC, may already be in part be compliant with these requirements. Again, as emphasized by the security community and DFS requires that Top Management/Board of Directors/Executive Board or equivalent should review the business's Cyber Security Program, Policy and Incident Response Policy and ensure that they understand Cyber Risk. Another note-worthy requirement is the use of Multi-Factor authentication for all remote access, 3rd party access, trusted databases with Non-Public information.

An executive summary of the requirements is as below:

1.Maintain an active cyber security program that

  • Identifies and addresses internal and external risks, identifies technology, policy and process controls required for mitigation
  • Addresses Detection, Mitigation, Response and Recover process

2. Implement a Cyber Security Policy / Information Security Policy that addresses

  • Cyber Security Technology (system & network) controls, Access Controls & Identity Management
  • Application Security & Secure Development practices for in-house & external applications
  • Data Governance, Data Classification, Data Privacy (customer)
  • Systems Operations, Capacity, Performance, Availability, Disaster Recovery and Business Continuity
  • Continuous Security Monitoring, Risk Assessments and Incident Response
  • Third Party risk identification & minimum cyber security requirements

3. Establish an Incident Response Plan that at a minimum addresses

  • process for responding to events - playbooks
  • roles & responsibilities, specially document levels of decision making authority.
  • Communications - external and internal
  • Revision process for addressing any failures

4. Encryption of Non Public Information in transit and at rest. Document compensating controls where this is not possible.

5. Appoint / Designate a Chief Information Security Officer (CISO). CISO shall be responsible managing the cyber security program, cyber security policy, Incident Response Plan. He is responsible for reviewing and updating the policies and procedures as required, at least once annually. Any exceptions and compensating controls have to approved by the CISO.

6. Perform a Penetration Test of IT systems annually, and a Vulnerability Assessment at least Quarterly

7. Cyber Risk Assessments should be performed at least annually

8. Provide adequate levels of Cyber Security Awareness training. DFS also recommends training cyber security personnel be trained with updated skills at least annually.

9. DFS requires mandatory notification of a material breach to the Superintendent within 72 hours.

10. DFS requires filing of a written statement of compliance by Jan 15 each year.

These requirements will be effective Jan ' 2017. Entities that fall under the purview of these requirements will be required to prepare and submit a Certificate of Compliance with NY State Department of Financial Services annually, by Jan 15.


Kiran Vangaveti is the Founder of BluSapphire Technologies that provides Managed Security Asset Management, Continuous Security Monitoring, Risk Assessments and Compliance assistance to Small & Medium Enterprises in Financial and Health Care industries. He is the thought leader behind BluSapphire Intelligent Cyber Defense, security tool providing unrivaled visibility into Advanced Persistent Threats (APT) and malicious activity on client's infrastructure, operating across the entire Cyber Defense stack, utilizing Advanced Behavioral Analytics, Multi-layered Anomaly Detection.