
By Tim Buckler
Subscribe to our original industry insightsThe first phase implementation date of New York’s “Cybersecurity Requirements for Financial Services Companies” rule is August 28th, 2017. The rule requires firms to develop and maintain a cybersecurity program designed to protect the confidentiality, integrity and availability of their information systems. The program must be based on a risk assessment, identify and assess internal and external cybersecurity risks, use defensive infrastructure and implement policies and procedures to protect the firm’s information systems and Nonpublic Information; detect, respond to and recover from cybersecurity events; and, fulfill regulatory reporting requirements.
While broker-dealers and investment advisors are not specifically required to follow the rule, section 500.01(c) stipulates that “Covered Entity means any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.” In other words, if you are authorized to work under the Banking Law, you will probably need to follow the rule. You can find a list all the types of institutions that the NY DFS supervises here.
To find out if your firm qualifies for exemptions from some provisions of the rule, check the exemption list in section 500.19. If at some point your firm no longer meets the requirements for the exemptions, you have 180 days to meet all in-force requirements. If you plan to use an exemption, you will have to provide a notice to that effect with the NY DFS by September 27, 2017. At the end of the rule, the NY DFS has provided a draft of the exemption notice. Then mark your calendar to routinely test to make sure your firm still qualifies for an exemption.
Don’t forget, this is only the first phase. If you are a Covered Entity, you must submit a written statement to the NY DFS by February 15th, 2018 attesting your firm is in compliance with the first seven sections. The deadline for the second phase is March 1, 2018 where five more sections become effective:
View NY DFS Cybersecurity FAQs
Oyster Consulting’s cybersecurity services include developing and implementing risk assessments, policies and procedures, response and business continuity plans, among others. Oyster has the background and perspective to help you build the cybersecurity program that is right for your firm. We are the right partner to help you bridge the gap where business and technology meet, ensuring that you have the resources to understand the threats and the ability to protect yourself.
"*" indicates required fields
Download the Capital Markets Services eBook to learn about CAT Reporting, Trade and Position Reporting, Market Access and Best Execution.
Download