NYDFS网络安全条例

NYDFS网络安全法规的目标是什么?

NYDFS发布了最终结果 网络安全法规(23 NYCRR Part 500) in response to the growing sophistication of cybercriminals 和 the increasingly volatile 网络安全 美国金融机构面临的环境. The goal of the regulation is to ensure the safeguarding of sensitive customer data 和 to promote the integrity of the information technology systems of regulated entities.

The regulation requires supervised entities to assess their 网络安全风险 配置文件s 和 implement a comprehensive plan that recognizes 和 mitigates that risk. Certain regulatory minimum st和ards have been set to assist organizations in preventing data breaches, 包括:

• Risk-based minimum st和ards for information technology systems, including data protection 和 数据加密访问控制和渗透测试.
• 项目有充足资金的要求, overseen by a chief information security officer (which can include a third-party service provider), 并由合格的网络安全人员实施.
• 有效的 事件响应计划 that include preserving data in order to respond to data breaches 和 timely notice to the NYDFS of material events.
• Accountability provided by identification 和 documentation of deficiencies, 补救计划, 以及每年一次的合规认证.

最终规则的变更

You might already be familiar with the original regulation rules that were proposed, but it’s important to note that the final regulation includes some important changes, 包括:

• 审计跟踪—Data retention requirements were reduced from five to three years.
• 请注意—Covered Entities’ policies 和 procedures regarding notice provided by Third Party Service Providers affect only the Covered Entities’ Nonpublic Information being held by that Third Party Service Provider.
• 报告—Clarification of when a Covered Entity must provide notice of a 网络安全 event to the NYDFS.
• 豁免—The limited exemptions now include the gross annual revenue 和 the number of employees of a Covered Entity’s affiliates in New York.
• 保险—Exemption rules clarified for companies regulated under the insurance laws of New York.

NYDFS网络安全法规对谁有影响?

The NYDFS网络安全条例 covers any organization that is regulated by the Department of Financial 服务. 这包括:

• 特许银行
• 特许银行
• 信托公司
• 服务合同提供者
• 私人银行家
• 抵押贷款公司
• 在纽约做生意的保险公司
• 班.S. 获准在纽约经营的银行

The regulation provides an exemption for organizations with:

• 10人以下
• Less than $5 million in gross annual revenue for three years, or
• 年底总资产不到1000万美元

企业如何变得合规?

时钟开始滴答作响 网络安全法规23 NYCRR Part 500 自2017年3月1日起生效. There are multiple milestones 和 deadlines to hit in the first year alone, 和 organizations looking to become compliant will need to pay close attention to the calendar.

Covered Entities are required to be in compliance with certain parts of the regulation as soon as 2017年8月28日, 和 must file their first 认证 of 合规 with the NYDFS superintendent’s office by 2018年2月15日.  

Important steps in achieving compliance are outlined according to the deadlines below.

重要的日子

2017年3月1日 -最终23 NYCRR第500部分的生效日期. 2017年8月28日 – 180-day mark: Regulated entities must be in compliance with 23 NYCRR Part 500 unless otherwise noted.

To achieve 和 maintain compliance, by this date a Covered Entity must:

• 建立有效的网络安全计划——第500条.02
• Create 和 Maintain a Written Cybersecurity Policy—Section 500.03
• Designate a Chief Information Security Officer (CISO)— Section 500.04
• Hire Qualified Cybersecurity Personnel or Utilize Third Party Providers— Section 500.10
• 建立事件响应计划-第500条.16

2018年2月15日 – Covered Entities must submit their first 认证 of 合规 under 23 NYCRR 500.17(b)在此日期或之前. 2018年3月1日 -一年标志. 为了遵守规定，在此日期之前，各组织必须:

• 报告:首席信息安全官必须提交网络安全报告-第500条.04(b)
• Regularly Conduct 渗透测试 和 脆弱性管理— Section 500.05
• 进行两年一次的风险评估-第500条.09

2018年9月3日 – 1.5年马克. 在此日期之前，承保实体必须证明他们已经:

• 保持审计跟踪500.06
• 实现的应用程序安全协议- 500.08

实现和维护 网络安全合规 is a complex process, but it doesn’t have to be a difficult or stressful one. There are resources available to help you take a proactive, data-driven approach to comprehensive 网络安全 that can help bring your organization into full compliance to protect your business’s valuable data 和 safeguard your customer’s sensitive information.

阅读更多有关法规 & 合规

遵从性:来自博客的最新消息