Cybersecurity Resource Center Department of Financial Services

CISA acts as the quarterback for the federal cybersecurity team, protecting and defending the home front—our federal civilian government networks—in close partnership with the Office of Management and Budget, which is responsible federal cyber security overall. CISA also coordinates the execution of our national cyber defense, leading asset response for significant cyber incidents and ensures that timely and actionable information is shared across federal and non-federal and private sector partners. Under 23 NYCRR Part 500, the Covered Entity is responsible for compliance with respect to its Information Systems. Therefore, it must evaluate and address any risks that a BHC presents to the Covered Entity’s Information Systems and/or Nonpublic Information.

This Executive Order makes a significant contribution toward modernizing cybersecurity defenses by protecting federal networks, improving information-sharing between the U.S. government and the private sector on cyber issues, and strengthening the United States’ ability to respond to incidents when they occur. DHS encourages private sector companies to follow the Federal government’s lead and take ambitious measures to augment and align cybersecurity investments with the goal of minimizing future incidents. Established in 2018, CISA was created to work across public and private sectors, challenging traditional ways of doing business by engaging with government, industry, academic, and international partners.

The attempted cyber-attack on a water treatment facility in Florida in early 2021 as well as the Colonial Pipeline ransomware attack were powerful reminders of the substantial risks that need to be addressed. Each Affiliate’s employees who are responsible for any aspect of the Covered Entity’s business, regardless of the location of such employees. If an Affiliate’s employee provides any service to, or performs any task for, the Covered Entity, that employee must be counted, regardless of location. This includes, but is not limited to, any shared services provided by an Affiliate that are used by the Covered Entity. The Department of Financial Services recognizes that small businesses are the backbone of our economy.

Among the widely used frameworks Covered Entities employ are the FFIEC Cyber Assessment Tool, the CRI Profile, and the NIST Cybersecurity Framework. The Department emphasizes that a well-informed board is a crucial part of an effective cybersecurity program and the CISO's reporting to the full board is important to enable the board to assess the Covered Entity's governance, funding, structure, and effectiveness as well as compliance with 23 NYCRR Part 500 or other applicable laws or regulations. Develop a process for detecting, reporting, and responding to threats, breaches, or cybersecurity incidents which is consistent with the security rules, guidelines, Agency Cybersecurity and processes established by the department through the Florida Digital Service. Level 5 is an emergency-level incident within the specified jurisdiction that poses an imminent threat to the provision of wide-scale critical infrastructure services; national, state, or local government security; or the lives of the country’s, state’s, or local government’s residents. Completing comprehensive risk assessments and cybersecurity audits, which may be completed by a private sector vendor, and submitting completed assessments and audits to the department. While the FBI onlyemploys about 35,000 people, their cybersecurity personnel is constantly growing.

The notification must include a high-level description of the incident and the likely effects. Level 1 is a low-level incident that is unlikely to impact public health or safety; national, state, or local security; economic security; civil liberties; or public confidence. Level 3 is a high-level incident that is likely to result in a demonstrable impact in the affected jurisdiction to public health or safety; national, state, or local security; economic security; civil liberties; or public confidence. Level 4 is a severe-level incident that is likely to result in a significant impact in the affected jurisdiction to public health or safety; national, state, or local security; economic security; or civil liberties.

Once the agency has provided documentation of its actions, we plan to verify whether implementation has occurred. The Federal Government contracts with IT and OT service providers to conduct an array of day-to-day functions on Federal Information Systems. These service providers, including cloud service providers, have unique access to and insight into cyber threat and incident information on Federal Information Systems. At the same time, current contract terms or restrictions may limit the sharing of such threat or incident information with executive departments and agencies that are responsible for investigating or remediating cyber incidents, such as the Cybersecurity and Infrastructure Security Agency , the Federal Bureau of Investigation , and other elements of the Intelligence Community . Removing these contractual barriers and increasing the sharing of information about such threats, incidents, and risks are necessary steps to accelerating incident deterrence, prevention, and response efforts and to enabling more effective defense of agencies’ systems and of information collected, processed, and maintained by or for the Federal Government.

In January 2022, the Cybersecurity & Infrastructure Security Agency issued a “Shields-Up” message to U.S. organizations. Cyber-attacks could potentially target communications and navigation systems, power grids, and various elements of the transportation sector to disrupt the nation’s ability to command and control operations. This sprint will focus on the need to cement the resilience of the Nation's democratic infrastructures and protect the integrity of its elections. Leveraging the lessons learned from the previous elections and the relationships CISA has built with local and state authorities across the country, this sprint will ensure election security remains a top priority every year, and not only during election season. During this sprint, the Secretary will focus specifically on the need to increase the cyber resilience of the Nation’s transportation systems – from aviation to rail, pipelines, and the marine transport system. Coast Guard, and CISA are all part of DHS, which presents a unique opportunity for the Department to make progress in this area, to leverage respective best practices, and to deepen the collaboration with the U.S.

These services contain Nonpublic Information that Covered Entities are required to protect. When a Covered Entity is using an independent UR agent, that Covered Entity should be treating them as Third Party Service Providers (“TPSP”). Since UR agents will be receiving Nonpublic Information from that Covered Entity, that Covered Entity must assess the risks each TPSP poses to their data and systems and effectively address those risks.