Are you prepared for the amended NYDFS cybersecurity regulation to take effect? The comment period ended on January 9, 2023, so the changes are coming.
The proposed amendment includes many new requirements that span all areas of cybersecurity. We’ve put together the following NYDFS cybersecurity checklist so you can assess your readiness to comply.
Some of the new requirements will require significant planning and investment, so don’t wait to act. Our team can help advise on and execute the changes that may be necessary for compliance
- Does the company understand how it is classified according to the rule updates? Class A companies will have additional requirements going forward.
- If you’re a Class A company, have you conducted an independent audit of your cybersecurity program within the last year?
Policies and Procedures
- Has your cybersecurity policy been approved at least annually by a senior governing body?
- Have procedures been developed, documented, and implemented in accordance with your cybersecurity policy?
- Does your policy include areas such as data retention, device end of life management, remote access, network monitoring, security awareness and training, incident response notification, and vulnerability management?
- Does your CISO timely report all material cybersecurity issues to senior management, such as updates to the risk assessment or cybersecurity events?
- Does the board of directors (or equivalent) provide direction on cyber risk management, require that the cybersecurity program is implemented and maintained, and have sufficient expertise or knowledge of cyber risk management?
- Are policies and procedures for vulnerability management developed and implemented?
- Have you executed an internal and external penetration test on your systems in the last 12 months?
- Do you have a monitoring process in place to ensure you are promptly informed of new vulnerabilities?
- Are you remediating vulnerabilities timely and based on risk?
- Are you reporting material issues found during testing to senior management?
Access Privileges and Management
- Are privileged accounts limited and used only for performing functions requiring privileged access?
- Are privileged accounts reviewed at least annually and are accounts that are no longer necessary disabled?
- Are all protocols that permit remote control of devices disabled or security configured?
- Is access terminated promptly following departures?
- Does your password policy meet industry standards?
- Are you utilizing a password vaulting solution for those with privileged access?
- Do you have an automated method for blocking commonly used passwords for all accounts?
- Have you conducted a 3rd party risk assessment in the last 3 years?
- Has the risk assessment been reviewed and updated at least annually and whenever a change in the business or technology causes a material change to the organization’s cyber risk?
Multi Factor Authentication (MFA)
- Are you utilizing MFA for remote access to the organization’s systems, for remote access to third party applications, and for all privileged accounts?
- Are you using SMS/text messaging for MFA? (This will no longer be allowed under the new rules)
- Do you have a complete and accurate inventory of all hardware, software and outsourced technology resources?
Monitoring and Training
- Do you have a system in place to monitor emails and filter out potentially malicious content?
- Do provide training, exercises, and simulations on cybersecurity threats and phishing for all employees at least annually?
- If you’re a Class A company, do you have an endpoint detection and response solution to monitor anomalous activity and a solution that centralizes logging and security event alerting?
Incident Response Plan
- Do you have incident response, business continuity, and disaster recovery plans that contain proactive measures to investigate and mitigate disruptive events and ensure operational resilience?
- Do your business continuity and disaster recovery (BCDR) plans include the minimum requirements of the new rule?
- Are all your employees trained on your BCDR plans and tested at least annually on their ability to comply?
- Can you provide notice of a cybersecurity event according to the updated rule requirements?
- Do you maintain a written encryption policy that meets industry standards?
- Do you document approval of compensating controls for the non-use of encryption in writing?
Our team can help advise on and execute any of the changes created by the NYDFS cybersecurity regulation that may be necessary for compliance. Contact us to learn more.