#175 - Navigating NYDFS Cyber Regulation

This episode of CISO Tradecraft dives deep into the New York Department of Financial Services Cybersecurity Regulation, known as Part 500. Hosted by G Mark Hardy, the podcast outlines the significance of this regulation for financial services companies and beyond. Hardy emphasizes that Part 500 serves as a high-level framework applicable not just in New York or the financial sector but across various industries globally due to its comprehensive cybersecurity requirements. The discussion includes an overview of the regulation's history, amendments to enhance governance and incident response, and a detailed analysis of key sections such as multi-factor authentication, audit trails, access privilege management, and incident response. Additionally, the need for written policies, designating a Chief Information Security Officer (CISO), and ensuring adequate resources for implementing a cybersecurity program are highlighted. The podcast also offers guidance on how to approach certain regulatory mandates, emphasizing the importance of teamwork between CISOs, legal teams, and executive management to comply with and benefit from the regulation's requirements.

AuditScripts: https://www.auditscripts.com/free-resources/critical-security-controls/

NYDFS: https://www.dfs.ny.gov/industry_guidance/cybersecurity 

Transcripts: https://docs.google.com/document/d/1CWrhNjHXG1rePtOQT-iHyhed2jfBaZud

Chapters

• 00:00 Introduction
• 00:35 Why Part 500 Matters Beyond New York
• 01:48 The Evolution of Financial Cybersecurity Regulations
• 03:20 Understanding Part 500: Definitions and Amendments
• 08:44 The Importance of Multi-Factor Authentication
• 14:33 Navigating the Complexities of Cybersecurity Regulations
• 20:23 The Critical Role of Asset Management and Access Privileges 25:37 The Essentials of Application Security and Risk Assessment
• 31:11 Incident Response and Business Continuity Management
• 32:36 Concluding Thoughts on NYDFS Cybersecurity Regulation