The speaker(s)/presenter(s) of the session you are trying to access did not provide permission to record their presentation. Consequently, the video recording is not available.
Swiss Army Knife
Education Level: Intermediate
4311 - Complying with New York's Cybersecurity Regulation for Financial Services Companies
Monday, September 25
4:30 PM - 5:30 PM
Business Information Security Officer
Whether directly impacted or not, it's good to understand the requirements for New York's Cybersecurity Regulation, given it is the first of its kind in the nation to focus primarily on consumer protection.
Controls relating to the governance framework for a robust cybersecurity program including requirements for a program that is adequately funded and staffed, overseen by qualified management, and reported on periodically to the most senior governing body of the organization.
Risk-based minimum standards for technology systems including access controls, data protection including encryption, and penetration testing.
Required minimum standards to help address any cyber breaches including an incident response plan, preservation of data to respond to such breaches, and notice to DFS of material events.
Accountability by requiring identification and documentation of material deficiencies, remediation plans and annual certifications of regulatory compliance to DFS.
Learn during this session what parts can be incorporated from existing programs and what additional requirements are needed.
- Understand the nuances of this cybersecurity regulation's requirements, and how to best meet this regulation with an existing cybersecurity program. You will learn what you can bring forward, what is new and how those portions can be implemented.
- Recognize that this regulation is considered to be the first in our nation to have as its primary focus the protection of the consumer. Because of its focus, we need to understand what is meant by a cybersecurity event, and to be careful in our definitions.
- Understand what is required of you as a "covered entity" (CE) and third-party service providers, including reporting requirements: material cybersecurity risks to the CE; overall effectiveness of the CE's cybersecurity program; and material cybersecurity events involving the CE during the reporting period.