To print this article, simply register or log in to Mondaq.com.
This is the fifth post in a series of blog posts analyzing certain key changes proposed in the New York Department of Financial Services (“NYDFS”) cybersecurity regulations. In case you missed it, other posts covering risk assessment, policy and procedure changes, the role of the CISO, and board-level impact can be found here, here, here, and here.
new definition. The proposed regulation redefines a large or “Class A” company under Section 500.1(c) as follows: respective locations for the last two years).
5 new duties for big business. In addition to the risk assessment obligations covered in the first post that apply generally to all companies, Class A companies have five additional, more stringent obligations:
- Conducting annual independent audits (500.2(c));
- Conduct a comprehensive scan or review of the enterprise’s information systems at least weekly (500.5(a)(2)).
- Monitor privileged access activity and employ secure access controls (500.7(b)).
- Conduct a risk assessment at least every three years using an outside expert (500.9(d)).When
- Use secure controls or tools, including endpoint detection and response solutions to monitor for anomalous activity and centralized logging and security event alerting solutions (500.14(b)).
Most Significant Change: Annual Independent Audit. In our opinion, the most impactful proposed change above is the requirement for annual independent audits.
Class A companies may consider a “Systems and Organizational Controls” (“SOC2®”) audit. This is the closest audit to cybersecurity regulation requirements, as some companies have already conducted his SOC2® audits, at least for certain operations. (CPA performs SOC2® audits for organizations to provide information on controls related to security, availability, processing integrity, confidentiality, or privacy.) You have 180 days from the date your security rules take effect. (Or another transition period for certain sections, including Sections 500.7(b) and 500.14(b), both of which provide his one-year period for compliance). Non-exempt companies have only 120 days from becoming non-exempt. However, SOC2® takes one year to complete, and controls must be tested for at least six months during that year. For large companies, this can be an expensive process.
A SOC2® audit does not automatically cover the full scope of the NYDFS Regulations and the specific controls required by the NYDFS Regulations. If a company chooses his SOC2® audit, the company should ensure that the scope of the audit covers cybersecurity regulations, such as specific technical requirements and strengthening information security and business continuity based on the company’s business operations. need to consider whether In addition, the NYDFS regulation’s third-party management requirements include requirements that are not typically reviewed and tested by SOC2®. Auditors should learn more about the NYDFS cybersecurity regulations and work with large organizations of interest to tailor their audits to meet these requirements.
This alert provides general coverage for its area of interest. We provide with the understanding that Frankfurt Kurnit Klein & Selz is not involved in providing legal advice herein and shall not be held liable for damages resulting from errors, inaccuracies or omissions. To do. Our attorneys practice law only in properly authorized jurisdictions. We do not attempt to represent clients in other jurisdictions.
Popular Articles: US Technology