NY | The New York State Department of Financial Services’ (DFS) Cybersecurity Regulation 23 NYCRR Part 500 (Cybersecurity Regulation) requires covered entities, including individual licensees and single person regulated entities, to maintain a cybersecurity program.
Pursuant to the Cybersecurity Regulation, covered entities must maintain a cybersecurity program designed to identify and assess cybersecurity risks; protect nonpublic information (such as confidential customer information or sensitive business information) and the computers, phones, and other electronic devices storing such information from unauthorized access and other malicious acts; detect, respond, and recover from cybersecurity events; and comply with applicable regulatory reporting obligations.
To assist individual licensees and single person regulated entities in creating a cybersecurity program, DFS has developed a model Cybersecurity Program Template. This resource prompts licensees to carefully consider and address the core concepts of a cybersecurity program in order to help create a program that complies with the requirements of the Cybersecurity Regulation. The template also includes frameworks for developing and tracking asset inventories, risk assessments, multi-factor authentication exceptions, and third-party service providers. This template is not a substitute for independently evaluating any business, legal, or other issues, and completion does not assure compliance with the Regulation.
The Cybersecurity Program Template is available to download via the Department’s Cybersecurity Resource Center.