DFS letter has you asking

Slides:



Advertisements
Similar presentations
Red Flags Rule BAS Forum August 18, What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.
Advertisements

Red Flag Rules: What they are? & What you need to do
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.
Revenue Audits Returns processed in a “non-judgemental” manner Revenue Audit of selected returns. Objective is to promote voluntary tax compliance. Audit.
SIU School of Medicine Identity Protection Act and Associated SIU Policy.
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
Developing a Records & Information Retention & Disposition Program:
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.
TELLEFSEN AND COMPANY, L.L.C. SEC Regulation SCI and Automation Review Policy Compliance March 2013 Proprietary and Confidential.
House Committee on Business and Industry House Bill Implementation of Closed Account Notification System Texas Department of Banking April 22, 2008.
2015 ANNUAL TRAINING By: Denise Goff
HIPAA PRIVACY AND SECURITY AWARENESS.
ANTI-MONEY LAUNDERING TRAINING FOR LENDERS Bill Heyman Offit Kurman
Planning an Audit The Audit Process consists of the following phases:
Confidentiality, Consents and Disclosure Recent Legal Changes and Current Issues Presented by Pam Beach, Attorney at Law.
HQ Expectations of DOE Site IRBs Reporting Unanticipated Problems and Review/Approval of Projects that Use Personally Identifiable Information Libby White.
Considering Internal Control
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Michelle Groy Johnson Quality Improvement Officer Research Integrity Office Tough Love: Understanding the Purpose and Processes of Quality Assurance.
September 14, David A. Reed Attorney at Law Reed & Jolly, PLLC (703)
IDENTITY THEFT. RHONDA L. ANDERSON, RHIA, PRESIDENT ANDERSON HEALTH INFORMATION SYSTEMS, INC.
A PRACTICAL GUIDE TO RESPONDING TO A HEALTHCARE DATA SECURITY BREACH May 19, 2011 | State College, PA Matthew H. Meade Stephanie Winer-Schreiber.
Technology Supervision Branch Interagency Identity Theft Red Flags Regulation Bank Compliance Association of CT Bristol, CT September 3, 2008.
Tad and Terry Legal Issues in ILP. 28 CFR Part 23 The federal rule that governs or provides guidance for these issues. § 23.3 Applicability: These policy.
New York State Education Department Charter School Office Initial Statement January 2013.
McGraw-Hill/Irwin © 2003 The McGraw-Hill Companies, Inc., All Rights Reserved. 6-1 Chapter 6 CHAPTER 6 INTERNAL CONTROL IN A FINANCIAL STATEMENT AUDIT.
©2012 Prentice Hall Business Publishing, Auditing 14/e, Arens/Elder/Beasley Section 404 Audits of Internal Control and Control Risk Chapter.
Sharing Information (FERPA) FY07 REMS Initial Grantee Meeting December 5, 2007, San Diego, CA U.S. Department of Education, Office of Safe and Drug-Free.
CYBERSECURITY: RISK AND LIABILITY March 2, 2016 Joshua A. Mooney Co-chair-Cyber Law and Data Protection White and Williams LLP (215)
©©2012 Pearson Education, Auditing 14/e, Arens/Elder/Beasley Considering Internal Control Chapter 10.
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall. Chapter
May 5, 2016 May 5, Reporting obligations for  Investment banks,  Stockbrokers and dealers  FM and Investment advisers 2. Publication financial.
You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device.
Improving Compliance with ISAs Presenters: Al Johnson & Pat Hayle.
On-Site Inspections & Senior Officer Approval Regime Kenneth Baker Deputy Managing Director, Regulation.
©2005 Prentice Hall Business Publishing, Auditing and Assurance Services 10/e, Arens/Elder/Beasley Internal Control and Control Risk Chapter 10.
Data Breach ALICAP, the District Insurance Provider, is Now Offering Data Breach Coverage as Part of Our Blanket Coverage Package 1.
NY DFS Cyber Regulation and the Impact on PA Mutual Insurers
Nassau Association of School Technologists
Law Firm Data Security: What In-house Counsel Need to Know
Compliance Update 11 December
Session objectives After completing this session you will:
CPA Gilberto Rivera, VP Compliance and Operational Risk
Recommended Practices in Housing Credit Compliance
Data Minimization Framework
Privacy principles Individual written policies
Obligations of Educational Agencies: Parents’ Bill of Rights
Optimizing Your Regulatory Compliance Program
An Introduction to Public Records Office of the General Counsel
Cybersecurity for the Insurance Sector:
GENERAL DATA PROTECTION REGULATION (GDPR)
Red Flags Rule An Introduction County College of Morris
is not secure is not secure..
#IASACFO.
Disability Services Agencies Briefing On HIPAA
RECORDS AND INFORMATION
Cybersecurity compliance for attorneys
Data Protection What’s new about The General Data Protection Regulation (GDPR) May 2018? Call Kerry on Or .
Mysale Information Classification 101
Operationalizing Export Certification and Regionalization Programmes
HIPAA SECURITY RULE Copyright © 2008, 2006, 2004 by Saunders an imprint of Elsevier Inc. All rights reserved.
Hands-On: FSA Assessments For Foreign Schools
Cyber Security: What the Head & Board Need to Know
Government Data Practices & Open Meeting Law Overview
Anatomy of a Common Cyber Attack
Presentation transcript:

DFS letter has you asking What in the world is 23 NYCRR 500? Good Morning Everyone My name is Marc Kaplan and i'm the CISO or Chief Information Security Officer at FILCO We are here to talk about 23 NYCRR 500 or NY's CyberSecurity Regulation. Many of you recieved an email from the DFS and wondered if it was spam. It wasnt.

What in the world is 23 NYCRR 500? Cyber Security? What in the world is 23 NYCRR 500? So while the trpical person understands this to be about Cyber Security, in reality, this covers beyond just protecting the transmission of PHI Data. It's about NYS protecting it revenue stream with banking and finance making up over 25% of state Revenues. NY wants to ensure that the banking and insurance markets don't collapse due to the release of sensitive data.

So what are the main points Establish Written Program Impliment Procedures Limit Access do a risk assessment Certify third part providers with access Data retention and disposal Notification of Breach

https://www.pia.org/IRC/privacy/files/nutshellupdate9.27.17.pdf Who? Everyone even if you're not in NY. https://www.pia.org/IRC/privacy/files/nutshellupdate9.27.17.pdf

So your business is domiciled in New Jersey or some other state?

So your business is domiciled in New Jersey or some other state? If you do 99.9% of your business outside of NY and write one case situs in NY… ---YOU MUST COMPLY--- So your business is domiciled in New Jersey or some other state?

Note you should comply as soon as possible. TO:      Covered Entities Who Did Not File Certification       FROM: Superintendent Maria T. Vullo DATE:    March 2, 2018 RE:         Failure to File Certification of Compliance   As previously advised, all regulated entities and licensed persons of the Department of Financial Services (DFS) were required to file a cybersecurity regulation Certification of Compliance under 23 NYCRR 500 by February 15, 2018.  Our records indicate that to date you have not made such filings under the regulation.[1] The Certification of Compliance is to cover the period as of December 31, 2017 for all requirements of the cybersecurity regulation in force by that date.  All Covered Entities that have failed to submit the Certification and that are in compliance with the regulation should do so via the DFS cybersecurity portal as soon as possible.  The DFS Certification of Compliance is a critical governance pillar for the cybersecurity program of DFS regulated entities, and DFS takes compliance with the regulation seriously.  The Department will consider a failure to submit a Certification of Compliance as an indicator that the cybersecurity program of the Covered Entity has a substantive deficiency. The Certificate of Compliance is required even if you filed for a limited exemption under 23 NYCRR Part 500.19.  These exemptions have been tailored to address particular circumstances and include requirements that the Department believes are necessary for these exempted entities.   Covered Entities are required to file a Certificate of Compliance to confirm that they are in compliance with those provisions of the regulation that apply to that Covered Entity. York’s financial services industries strengthen protections from cybersecurity attacks and protect consumers’ private data and our financial markets.  As DFS continues to implement its cybersecurity regulation, we also will take additional steps to protect the financial services industries from cyber attacks, including through our examinations. The DFS web portal also contains a copy of the cybersecurity regulation and a set of frequently asked questions. [1] If you submitted a Certification and received this notification, then please send an email to cyberregcomments@dfs.ny.gov with the full name of the licensed entity, license number, and confirmation number from your filing and DFS will look into your inquiry.  [1] If you submitted a Certification and received this notification, then please send an email to cyberregcomments@dfs.ny.gov with the full name of the licensed entity, license number, and confirmation number from your filing and DFS will look into your inquiry. The goal of DFS’s cybersecurity regulation is for all regulated institutions to have a robust, risk-based program so that New   Sample of Letter Note you should comply as soon as possible. The idea here isn't you must have NO risk today. The idea is to limit the risk and work each year towards putting protections in place and having procedures.

Limited Exemptions There are a number of groups we fall into as service providers, some have exemptions to parts of the ruling. Most of you here fall into two categories we'll discuss later in the presentation. You must submit exemption to qualify.

EFFECTIVE DATES Section Description Effective Date 500.02 Maintain Cyber Program 8/28/17 500.03 Maintain Written Procedures 500.04 CISO Chief Info Security Officer 500.04 b Annual Report by CISO 3/1/18 500.05 Penetration Testing and Vulerablility 500.06 Audit Trail 8/28/18 500.07 Access 500.08 Application Security 500.09 Risk Assessment 500.1 Cybersecurity Personel and Intelligence 500.11 Third Party Provider Policy 3/1/19 500.12 Multi-Factor Authentication 500.13 Limitations on data Retention 500.14 a1 Monitor Unauthorized Users/Detection 500.14 a2 Cyber Training 500.15 Encryption of Non Public Info 500.16 Incident Response Plan 500.17 Notice to Superintendent Here we shoe a list of the due dates for all components. Note most of the dates have passed and are marked RED. The highlighted ones are the limited exemption obligations

EFFECTIVE DATES Section Description Effective Date 500.02 Maintain Cyber Program 8/28/17 500.03 Maintain Written Procedures 500.04 CISO Chief Info Security Officer 500.04 b Annual Report by CISO 3/1/18 500.05 Penetration Testing and Vulerablility 500.06 Audit Trail 8/28/18 500.07 Access 500.08 Application Security 500.09 Risk Assessment 500.1 Cybersecurity Personel and Intelligence 500.11 Third Party Provider Policy 3/1/19 500.12 Multi-Factor Authentication 500.13 Limitations on data Retention 500.14 a1 Monitor Unauthorized Users/Detection 500.14 a2 Cyber Training 500.15 Encryption of Non Public Info 500.16 Incident Response Plan 500.17 Notice to Superintendent Each Covered Entity shall maintain a cybersecurity program designed to protect the confidentiality, integrity and availability of the Covered Entity’s Information Systems. The cybersecurity program shall be based on the Covered Entity’s Risk Assessment and designed to perform core cybersecurity functions

EFFECTIVE DATES Section Description Effective Date 500.02 Maintain Cyber Program 8/28/17 500.03 Maintain Written Procedures 500.04 CISO Chief Info Security Officer 500.04 b Annual Report by CISO 3/1/18 500.05 Penetration Testing and Vulerablility 500.06 Audit Trail 8/28/18 500.07 Access 500.08 Application Security 500.09 Risk Assessment 500.1 Cybersecurity Personel and Intelligence 500.11 Third Party Provider Policy 3/1/19 500.12 Multi-Factor Authentication 500.13 Limitations on data Retention 500.14 a1 Monitor Unauthorized Users/Detection 500.14 a2 Cyber Training 500.15 Encryption of Non Public Info 500.16 Incident Response Plan 500.17 Notice to Superintendent Each Covered Entity shall maintain a cybersecurity program designed to protect the confidentiality, integrity and availability of the Covered Entity’s Information Systems. The cybersecurity program shall be based on the Covered Entity’s Risk Assessment and designed to perform core cybersecurity functions

EFFECTIVE DATES Section Description Effective Date 500.02 Maintain Cyber Program 8/28/17 500.03 Maintain Written Procedures 500.04 CISO Chief Info Security Officer 500.04 b Annual Report by CISO 3/1/18 500.05 Penetration Testing and Vulerablility 500.06 Audit Trail 8/28/18 500.07 Access 500.08 Application Security 500.09 Risk Assessment 500.1 Cybersecurity Personel and Intelligence 500.11 Third Party Provider Policy 3/1/19 500.12 Multi-Factor Authentication 500.13 Limitations on data Retention 500.14 a1 Monitor Unauthorized Users/Detection 500.14 a2 Cyber Training 500.15 Encryption of Non Public Info 500.16 Incident Response Plan 500.17 Notice to Superintendent Each Covered Entity shall implement and maintain a written policy or policies, approved by a Senior Officer or the Covered Entity’s board of directors (or an appropriate committee thereof) or equivalent governing body, setting forth the Covered Entity’s policies and procedures for the protection of its Information Systems and Nonpublic Information stored on those Information Systems. The cybersecurity policy shall be based on the Covered Entity’s Risk Assessment

EFFECTIVE DATES Section Description Effective Date 500.02 Maintain Cyber Program 8/28/17 500.03 Maintain Written Procedures 500.04 CISO Chief Info Security Officer 500.04 b Annual Report by CISO 3/1/18 500.05 Penetration Testing and Vulerablility 500.06 Audit Trail 8/28/18 500.07 Access 500.08 Application Security 500.09 Risk Assessment 500.1 Cybersecurity Personel and Intelligence 500.11 Third Party Provider Policy 3/1/19 500.12 Multi-Factor Authentication 500.13 Limitations on data Retention 500.14 a1 Monitor Unauthorized Users/Detection 500.14 a2 Cyber Training 500.15 Encryption of Non Public Info 500.16 Incident Response Plan 500.17 Notice to Superintendent

EFFECTIVE DATES Section Description Effective Date 500.02 Maintain Cyber Program 8/28/17 500.03 Maintain Written Procedures 500.04 CISO Chief Info Security Officer 500.04 b Annual Report by CISO 3/1/18 500.05 Penetration Testing and Vulerablility 500.06 Audit Trail 8/28/18 500.07 Access 500.08 Application Security 500.09 Risk Assessment 500.1 Cybersecurity Personel and Intelligence 500.11 Third Party Provider Policy 3/1/19 500.12 Multi-Factor Authentication 500.13 Limitations on data Retention 500.14 a1 Monitor Unauthorized Users/Detection 500.14 a2 Cyber Training 500.15 Encryption of Non Public Info 500.16 Incident Response Plan 500.17 Notice to Superintendent Based on the Covered Entity’s Risk Assessment each Covered Entity shall limit user access privileges to Information Systems that provide access to Nonpublic Information and shall periodically review such access privileges. you need to document a list of everyones access to systems that provide non-public info. Computers, Programs, Files, etc.

EFFECTIVE DATES Section Description Effective Date 500.02 Maintain Cyber Program 8/28/17 500.03 Maintain Written Procedures 500.04 CISO Chief Info Security Officer 500.04 b Annual Report by CISO 3/1/18 500.05 Penetration Testing and Vulerablility 500.06 Audit Trail 8/28/18 500.07 Access 500.08 Application Security 500.09 Risk Assessment 500.1 Cybersecurity Personel and Intelligence 500.11 Third Party Provider Policy 3/1/19 500.12 Multi-Factor Authentication 500.13 Limitations on data Retention 500.14 a1 Monitor Unauthorized Users/Detection 500.14 a2 Cyber Training 500.15 Encryption of Non Public Info 500.16 Incident Response Plan 500.17 Notice to Superintendent Each Covered Entity shall conduct a periodic Risk Assessment of the Covered Entity’s Information Systems sufficient to inform the design of the cybersecurity program as required by this Part. Such Risk Assessment shall be updated as reasonably necessary to address changes to the Covered Entity’s Information Systems, Nonpublic Information or business operations.

EFFECTIVE DATES Section Description Effective Date 500.02 Maintain Cyber Program 8/28/17 500.03 Maintain Written Procedures 500.04 CISO Chief Info Security Officer 500.04 b Annual Report by CISO 3/1/18 500.05 Penetration Testing and Vulerablility 500.06 Audit Trail 8/28/18 500.07 Access 500.08 Application Security 500.09 Risk Assessment 500.1 Cybersecurity Personel and Intelligence 500.11 Third Party Provider Policy 3/1/19 500.12 Multi-Factor Authentication 500.13 Limitations on data Retention 500.14 a1 Monitor Unauthorized Users/Detection 500.14 a2 Cyber Training 500.15 Encryption of Non Public Info 500.16 Incident Response Plan 500.17 Notice to Superintendent Each Covered Entity shall implement written policies and procedures designed to ensure the security of Information Systems and Nonpublic Information that are accessible to, or held by, Third Party Service Providers.

EFFECTIVE DATES Section Description Effective Date 500.02 Maintain Cyber Program 8/28/17 500.03 Maintain Written Procedures 500.04 CISO Chief Info Security Officer 500.04 b Annual Report by CISO 3/1/18 500.05 Penetration Testing and Vulerablility 500.06 Audit Trail 8/28/18 500.07 Access 500.08 Application Security 500.09 Risk Assessment 500.1 Cybersecurity Personel and Intelligence 500.11 Third Party Provider Policy 3/1/19 500.12 Multi-Factor Authentication 500.13 Limitations on data Retention 500.14 a1 Monitor Unauthorized Users/Detection 500.14 a2 Cyber Training 500.15 Encryption of Non Public Info 500.16 Incident Response Plan 500.17 Notice to Superintendent As part of its cybersecurity program, each Covered Entity shall include policies and procedures for the secure disposal on a periodic basis of any Nonpublic Information identified in section 500.01(g)(2)-(3) of this Part that is no longer necessary for business operations or for other legitimate business purposes of the Covered Entity, except where such information is otherwise required to be retained by law or regulation, or where targeted disposal is not reasonably feasible due to the manner in which the information is maintained.

Notice to Superintendent EFFECTIVE DATES Section Description Effective Date 500.02 Maintain Cyber Program 8/28/17 500.03 Maintain Written Procedures 500.04 CISO Chief Info Security Officer 500.04 b Annual Report by CISO 3/1/18 500.05 Penetration Testing and Vulerablility 500.06 Audit Trail 8/28/18 500.07 Access 500.08 Application Security 500.09 Risk Assessment 500.1 Cybersecurity Personel and Intelligence 500.11 Third Party Provider Policy 3/1/19 500.12 Multi-Factor Authentication 500.13 Limitations on data Retention 500.14 a1 Monitor Unauthorized Users/Detection 500.14 a2 Cyber Training 500.15 Encryption of Non Public Info 500.16 Incident Response Plan 500.17 Notice to Superintendent Notice to Superintendent

EFFECTIVE DATES Section 500.17 Notices to Superintendent. Description Effective Date 500.02 Maintain Cyber Program 8/28/17 500.03 Maintain Written Procedures 500.04 CISO Chief Info Security Officer 500.04 b Annual Report by CISO 3/1/18 500.05 Penetration Testing and Vulerablility 500.06 Audit Trail 8/28/18 500.07 Access 500.08 Application Security 500.09 Risk Assessment 500.1 Cybersecurity Personel and Intelligence 500.11 Third Party Provider Policy 3/1/19 500.12 Multi-Factor Authentication 500.13 Limitations on data Retention 500.14 a1 Monitor Unauthorized Users/Detection 500.14 a2 Cyber Training 500.15 Encryption of Non Public Info 500.16 Incident Response Plan 500.17 Notice to Superintendent Section 500.17 Notices to Superintendent. (a) Notice of Cybersecurity Event. Each Covered Entity shall notify the superintendent as promptly as possible but in no event later than 72 hours from a determination that a Cybersecurity Event has occurred that is either of the following: (1) Cybersecurity Events impacting the Covered Entity of which notice is required to be provided to any government body, self-regulatory agency or any other supervisory body; or (2) Cybersecurity Events that have a reasonable likelihood of materially harming any material part of the normal operation(s) of the Covered Entity. (b) Annually each Covered Entity shall submit to the superintendent a written statement covering the prior calendar year. This statement shall be submitted by February 15 in such form set forth as Appendix A, certifying that the Covered Entity is in compliance with the requirements set forth in this Part. Each Covered Entity shall maintain for examination by the Department all records, schedules and data supporting this certificate for a period of five years. To the extent a Covered Entity has identified areas, systems or processes that require material improvement, updating or redesign, the Covered Entity shall document the identification and the remedial efforts planned and underway to address such areas, systems or processes. Such documentation must be available for inspection by the superintendent. Ask Askari to detail WHat constitutes an event?

EFFECTIVE DATES Section Description Effective Date 500.02 Maintain Cyber Program 8/28/17 500.03 Maintain Written Procedures 500.04 CISO Chief Info Security Officer 500.04 b Annual Report by CISO 3/1/18 500.05 Penetration Testing and Vulerablility 500.06 Audit Trail 8/28/18 500.07 Access 500.08 Application Security 500.09 Risk Assessment 500.1 Cybersecurity Personel and Intelligence 500.11 Third Party Provider Policy 3/1/19 500.12 Multi-Factor Authentication 500.13 Limitations on data Retention 500.14 a1 Monitor Unauthorized Users/Detection 500.14 a2 Cyber Training 500.15 Encryption of Non Public Info 500.16 Incident Response Plan 500.17 Notice to Superintendent

We are late, so we do? DON’T DO NOTHING It’s the DFS and they have your number Your clients will appreciate that you protect their data File for the exemption Do a GAP analysis of what it would take to come into compliance Prepare to respond to the DFS as to why you missed the implementation date and how you are moving toward compliance Hire a TPA/Lawyer/Outsourced IT to bring you to compliance Complete the documentation and certify with DFS

I’m an Entity/Have Multiple entities? Ask Askari

I’m an Entity/Have Multiple entities? YOU MUST COMPLY WITH NYCRR Create a login with the DFS and request a partial exemption. Do a risk and GAP assessment to the limited regulations. Decide if your capable of writing new company procedures? If not hire a lawyer/TPA to complete the documentation. Log back into the DFS site and certify that you are in compliance.

I’m only an Independent Agent? YOU MUST COMPLY WITH NYCRR Create a login with the DFS and request a partial exemption. Do a risk and GAP assessment to the limited regulations. Decide if your capable of writing new company procedures? If not hire a lawyer/TPA to complete the documentation. Log back into the DFS site and certify that you are in compliance.

Going Forward New Employees must be waived and certified within 30 Days Each year you must certify compliance by March 15th for the previous year. Each year you must perform an analysis of your procedures and document any changes You must maintain records of all incidents

Questions? mkaplan@filco.net rmurray@filco.net