Financial institutions operating in New York must comply with the 23 NYCRR 500 requirements to prevent cybersecurity risks from impacting sensitive consumer data. Complying with 23 NYCRR 500 will help you implement best practices to secure financial service transactions.
A Comprehensive Guide to 23 NYCRR 500 Compliance
Compliance with the 23 NYCRR 500 requirements will help you mitigate cybersecurity threats from compromising the sensitive financial data your organization handles.
As a primer to the 23 NYCRR 500 framework, this blog will cover:
- An overview of the 23 NYCRR 500 and who must comply with its requirements
- A breakdown of the fundamental NYDFS 500 requirements
Implementing the 23 NYCRR 500 requirements will help increase your confidence in the security of your data and assure stakeholders of your commitment to keeping their data safe. With the help of a trusted NYCRR 500 compliance partner, you will streamline your compliance journey and secure data in the long term.
What is the 23 NYCRR 500?
To protect the integrity of sensitive consumer information, the New York State Department of Financial Services (NYDFS) established the 23 NYCRR 500 regulations. They went into effect in March 2017, providing organizations regulated by the NYDFS with security controls to safeguard financial services transactions from being compromised.
Considering the pressing cybersecurity threats to the financial services industry and the technological advances that place these organizations at high risk for cyberattacks, the 23 NYCRR 500 controls provide robust cybersecurity risk management.
To a large extent, the DFS cybersecurity requirements overlap with those of the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) and the privacy stipulations of the European Union (EU) General Data Protection Regulation (GDPR).
By complying with the 23 NYCRR 500 requirements, financial institutions in New York can meet and potentially surpass the cybersecurity standards in the financial services industry.
Compliance with the NYDFS 500 regulations also minimizes privacy and security risks to sensitive data and mitigates threats to critical digital assets within your infrastructure.
Who Must Comply with the NYCRR 500?
23 NYCRR 500 compliance is required for all entities in the State of New York currently “operating under or required to operate under a license, registration, charter, certificate, permit, accreditation, or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.” Authorized users, such as employees or contractors that conduct business operations on behalf of or in partnership with NYCRR 500-covered entities, must comply with the 23 NYCRR 500 Requirements.
Organizations exempt from NYDFS compliance include those with:
- Fewer than 10 employees
- Gross annual revenues of less than $5 million over the last three years
- Total year-end assets amounting to less than $10 million
As an NYDFS 500-covered entity or business associate thereof, remaining compliant with the 23 NYCRR 500 Requirements will help you stay ahead of cybercriminal threats and prevent them from becoming full-blown attacks.
What are the 23 NYCRR 500 Compliance Requirements?
The NYCRR 500 comprises 23 Requirements whose collective goal is to help financial institutions methodically identify and mitigate threats to sensitive data and critical assets before they can develop into compromising cyberattacks.
Below, we’ll discuss 12 of these requirements and how they can boost your cyber defenses:
R1 – Establish and Maintain a Cybersecurity Program
NYCRR 500-covered entities are required to maintain a cybersecurity program that safeguards the confidentiality, integrity, and availability of their information systems.
An NYDFS 500-compliant cybersecurity program will help you:
- Detect internal and external cybersecurity risks to the sensitive nonpublic information stored across your IT infrastructure.
- Mount reliable cyber defenses and implement processes that protect financial services data from attempts to gain unauthorized system access.
- Promptly identify and respond to security incidents before they can impact other parts of your IT infrastructure.
- Recover from security incidents and restore your assets to their normal states.
- Meet the obligations of regulatory frameworks.
The implementation of an NYCRR 500-compliant cybersecurity program must also be documented thoroughly for compliance record-keeping purposes.
R2 – Implement a Cybersecurity Policy
The 23 NYCRR 500 requires NYDFS-covered financial institutions to implement and maintain a cybersecurity policy that documents the procedures used to safeguard sensitive customer data from security threats. This policy should manage risks in the following operational areas:
- Information security
- Data governance
- Asset inventory
- Business continuity and disaster recovery planning
- Identity and access control management
- Systems operations
- Systems and network security
- Systems and network monitoring
- Systems and application development
- Physical and environmental security controls
- Customer data privacy
- Vendor and third-party risk management
- Incident response
An NYCRR 500 cybersecurity policy should also be implemented with oversight from a designated member of the institution’s senior leadership or Board.
R3 – Designate a Chief Information Security Officer (CISO)
Financial institutions are required to designate a qualified CISO to oversee the implementation and enforcement of the NYCRR 500 cybersecurity policy. Employment of the CISO is not limited to the NYDFS-covered entity. A virtual or other third-party CISO may be utilized.
An affiliate or third-party service provider may employ the CISO, provided the covered entity:
- Remains responsible for NYCRR 500 compliance obligations
- Provides strategic leadership and oversight of the third-party service provider
- Holds the third-party service provider accountable for maintaining a cybersecurity program that aligns with the 23 NYCRR 500 requirements
The CISO is required to report to the senior leadership or Board of the covered entity on the effectiveness of the NYCRR 500 cybersecurity program based on:
- The confidentiality, integrity, and security of the covered entity’s digital assets
- Existing cybersecurity policies and procedures
- Material cybersecurity risks and incidents
Whether you are sourcing for a CISO internally or externally, consider consulting with an NYDFS compliance partner to guide your decision-making and maximize your CISO ROI.
R4 – Conduct Penetration Testing and Vulnerability Assessments
Monitoring and testing an NYCRR 500 cybersecurity program is crucial to evaluating its effectiveness and ensuring it continually meets the 23 NYCRR 500 requirements.
NYDFS compliance requires covered entities to conduct:
- Annual penetration testing to identify risks across their IT infrastructure and prevent them from developing into threats
- Bi-annual vulnerability assessments to detect publicly known security vulnerabilities that could pose risks to the integrity of the entire IT architecture
Leveraging an internal or external risk assessment to develop and optimize NYCRR 500 security testing will help your institution promptly detect and remediate threat risks.
R5 – Maintain Audit Trails of Financial Transactions
To maintain audits of financial transactions, covered entities are required to secure the systems containing this information. These systems must meet two requirements:
- Reconstruction of transactions – The systems must be capable of reconstructing material financial transactions to meet the business and operational obligations of the covered entity. These records must be kept for at least five years.
- Maintenance of audit trails – The systems should include audit trails that can detect and respond to security incidents with a high likelihood of materially impacting the covered entity’s operations. These records must be kept for at least three years.
R6 – Leverage Access Controls
NYDFS 500 covered entities are also required to limit the user access privileges they provide to sensitive data environments. Doing so helps mitigate unauthorized attempts to access nonpublic information.
The NYCRR 500 does not specify which controls entities can leverage to meet these requirements.
However, partnering with an identity and access management (IAM) specialist can provide insight into leading industry-standard tools and best practices to secure sensitive nonpublic information from unauthorized access.
R7 – Secure Digital Applications
Internal and external application development must be secured before they can be applied to process sensitive consumer financial data. To do so, the 23 NYCRR 500 requires institutions to:
- Document procedures, guidelines, and standards to secure in-house application development
- Evaluate the security of externally developed applications before they can go live in the covered entity’s production environment
- Review the procedures used to evaluate application security with the help and guidance of a CISO
Securing applications that process sensitive financial services data will help you minimize risks such as web application vulnerabilities from compromising the integrity and privacy of data.
R8 – Conduct Periodic Risk Assessments
NYDFS compliance requires continuous risk assessments to ensure that the overall security program is effective. Financial institutions are expected to follow the stipulations of cybersecurity policies and procedures when conducting these assessments. These include:
- Evaluating and categorizing cybersecurity risks based on pre-determined criteria
- Assessing the adequacy of security controls and the confidentiality, integrity, and security of the information systems
- Compliance with requirements on how risks can be mitigated or accepted per the cybersecurity program’s risk assessment criteria
Since risks change over time, controls must be adjusted to meet the security and technological demands faced by the NYDFS-covered entity.
R9 – Staff Cyber Security Personnel
Compliance with the 23 NYCRR 500 also requires financial institutions to invest in cybersecurity personnel and intelligence. Beyond staffing security roles, covered entities are expected to:
- Source personnel who can manage cybersecurity risks and oversee the implementation of critical security functions
- Provide cybersecurity training to equip internal staff to address security risks and threats
- Support critical cybersecurity staff in upskilling or improving their understanding of the threat landscape and potential risks to the institution
In some cases, financial institutions may not have sufficient bandwidth or resources to support the training of internal cybersecurity personnel. By partnering with a cybersecurity awareness training specialist, you will streamline in-house DFS cybersecurity training.
R10 – Implement Third-Party Provider Security Policies
To ensure third parties remain compliant with the 23 NYCRR 500 requirements, covered entities must implement security policies that:
- Ensure third-party service providers adhere to risk assessment guidelines
- Hold third-party service providers accountable for implementing cybersecurity practices
- Oversee due diligence processes for third-party business operations
- Require period assessment of the security risks posed by third-party activities
Third-party service providers are also required to implement industry-standard security controls such as multifactor authentication (MFA).
R11 – Deploy Multifactor Authentication
Depending on the outcome of a risk assessment, NYCRR 500 covered entities are required to implement effective access controls (e.g., MFA or risk-based authentication). These controls will help minimize unauthorized access to sensitive data environments, especially when users attempt to gain access to internal data environments using external networks.
R12 – Limit Data Retention
Any nonpublic information no longer required for a covered entity’s business operations or other legitimate business purposes must be securely disposed of. According to the NYCRR 500, the only exceptions to this requirement include the legal need to retain these data, such as for compliance with other regulatory standards, or unfeasible data disposal scenarios.
R13 – Train and Monitor System Users
To keep their cybersecurity programs secure, covered entities must:
- Design and implement controls to monitor authorized user activity and track unauthorized user access attempts
- Provide routine cybersecurity awareness training to address any risks identified during a risk assessment
R12 – Encrypt Nonpublic Information
The 23 NYCRR 500 requires covered entities to protect sensitive nonpublic information at rest and in transit. When doing so, any controls deemed infeasible for data transmission at rest or in transit must be replaced using effective alternative compensating controls approved by the CISO. The CISO must also review these compensating controls CISO at least annually to keep the cybersecurity program effective.
R12 – Develop Incident Response Plans
Covered entities are also required to document and implement incident response plans to respond to and recover from cybersecurity events that could disrupt business operations.
The incident response plan should include:
- Internal processes for responding to security incidents
- Definitions of roles and responsibilities during incidents
- Processes for communicating updates about incidents
- Requirements for remediating gaps and weaknesses identified post-incident
- Procedures for revising the incident response plan
Considering each organization’s unique needs, 23 NYCRR 500 compliance will likely look different, especially when complemented with the controls of frameworks like NIST CSF or PCI DSS. The most effective way to navigate all requirements is to work with a NYCRR 500 advisor.
Optimize Your 23 NYCRR 500 Compliance
As a financial services institution operating in the State of New York, 23 NYCRR 500 compliance is your starting point for mitigating cybersecurity risks to consumers’ nonpublic financial data. At RSI Security, our team of NYDFS security experts will help guide you along the journey to becoming NYCRR 500-compliant—keeping your data safe year-round.
Contact RSI Security today to learn more and get started!