It is a landmark regulation that is seen to have ripple effects on the cybersecurity practices of financial institutions not only in the United States but also worldwide. The New York State Department of Financial Services (NYDFS) Cybersecurity Regulation, commonly referred to as 23 NYCRR 500, is considered as one of the most comprehensive cybersecurity regulations in the financial sector.
This regulation takes on cybersecurity issues for financial institutions head-on by establishing strict requirements for state-chartered banks, private bankers, licensed lenders, mortgage companies, insurance companies, service providers, and foreign banks operating in New York.
This post will detail the various aspects of this landmark regulation, from and more importantly, how concerned or covered entities can do in order to achieve NYDFS cybersecurity compliance.
What is the 23 NYCRR 500?
The 23 NYCRR 500 aims to thwart cyber attacks by setting minimum standards in cybersecurity and promoting strong governance in concerned institutions. Approved by the NYDFS on March 1, 2017, after rounds of consultation with the public and the financial services industry, it is the first law of its kind to be implemented at the state level. The regulation requires all covered financial institutions operating in New York to implement a comprehensive framework for enhanced consumer data privacy protection.
Taking into account the ever-growing cybersecurity threats of cybercriminals to the financial systems, the 23 NYCRR 500 ensures that businesses will be able to effectively secure and protect confidential information of their customers against cyber attacks. This objective can be achieved by requiring NYDFS-supervised entities to evaluate their cybersecurity risks and implement a detailed plan recognizing and mitigating those risks.
The 23 NYCRR 500 has drawn comparisons with the General Data Protection Regulation (GDPR) of the European Union (EU) which requires enterprises to protect the personal data of EU citizens for any online transaction occurring within EU member-states. Like the GDPR, it will also impact companies that are headquartered outside of the state and even those outside the United States.
The financial services sector is a key growth driver of the state of New York, which is home to many of the biggest local and foreign financial institutions. Suffice to say, the state will take a big hit on its economy if this sector falters. The passing and implementation of the NYDFS cybersecurity regulation underline the importance of the financial sector to the state’s economy.
Who should comply with 23 NYCRR 500?
This newly-implemented cybersecurity regulation in New York covers organizations regulated by the state’s Department of Financial Services from the biggest international banking entities to the smallest brokers. Also referred to as covered entities, these include:
- State-chartered banks
- Licensed lenders
- Trust firms
- Private bankers
- Mortgage companies
- Service contract providers
- Insurance firms operating in New York
- Non-U.S. banks that have license to operate in New York
- Third-party service providers of these entities
In short, covered entities are individuals, groups, or corporations legally operating under New York financial services laws.
There are exemptions to this regulation, albeit short. Exempted from this cybersecurity regulation are the following:
- Companies employing less than 10 personnel
- Organizations with gross annual revenue of not more than $5 million from their New York operations in each of the previous three years
- Firms with less than $10 million in year-end total assets
- Charitable/foreign risk groups operating in New York
Four Phases of Implementation
Similar to the GDPR, it has a phased implementation process to give more time to organizations to develop and implement robust cybersecurity policies and controls:
Phase 1 (August 28, 2017 deadline)
Required concerned firms to set up a formal cybersecurity program, hire cybersecurity personnel and appoint a chief information security officer (CISO). Covered entities must also regularly review user access privileges and develop an incident response plan including notifying the NYDFS of data breaches within 72 hours.
The regulation specifically mentions that data breaches with ‘reasonable likelihood of materially harming part’ should be reported to the NYDFS. A keylogger landing in the foreign exchange area of a bank and stealing user passwords can be an example.
Phase 2 (March 1, 2018 deadline)
Established reporting procedures. A vital requirement is the preparation of an annual report by a CISO detailing the entity’s information security policies and procedures. The annual report must also assess the effectiveness of the affected entity’s existing cybersecurity measures in mitigating security risks.
It also required concerned organizations to regularly conduct penetration testing and vulnerability assessments, perform risk assessment of information systems, and utilize risk-based authentication. It also called firms to regularly conduct cybersecurity education awareness training and to continually test their vulnerabilities to cyber attacks.
Phase 3 (September 3, 2018 deadline)
Implementation focused on the implementation of the covered entities’ cybersecurity program. By this time, it is expected that covered entities maintain a database of their records and audit trails. Guidelines for secure and sensitive data disposal must be developed and followed as well as monitoring and detection of unauthorized access of information.
Phase 4 (March 1, 2019 deadline)
The end of the two-year transitional period, with firms required to be 23 NYCRR 500-compliant. At the minimum, it is expected that a covered entity’s third-party security policy defines identification and risk assessment of third parties to service providers.
Moreover, cybersecurity requirements should have been met for covered entities and their third-party service providers to conduct business.
It is also during this phase that due diligence processes are being implemented to evaluate the adequacy of cybersecurity practices of third party service providers.
Key Provisions of 23 NYCRR 500
Regulatory minimum standards are contained in the 23 NYCRR 500 designed to prevent data breaches. The regulation has 23 sections detailing the requirements for the development and implementation of an effective cybersecurity program. Below are some of the main provisions:
1. Covered entities are required to set up a cybersecurity program
Section 500.02 of the regulation stipulates that covered entities must maintain a cybersecurity program to protect the confidentiality, integrity, and availability of their information systems. It must also be based on the risk assessment of the covered entity. Moreover, all documents and information pertaining to the program should be made available upon request of the Superintendent of Financial Services.
Aside from this overarching requirement, the regulation also requires covered entities to appoint a chief information security officer (CISO) who will oversee and implement the cybersecurity program of the covered entity. This top official should be appropriately qualified and may be outsourced to an affiliate or a third party.
The CISO is also to report at least once a year the cybersecurity policies of the covered entity to the board and senior management. This official should also document remediation efforts undertaken for any weakness in the cybersecurity policies. Meanwhile, the senior management of covered entities is also tasked to review and approve cybersecurity policies.
2. Covered entities shall have a third-party service provider risk management
In section 500.11, it is specified that each covered entity must identify and assess risks associated with third party service providers. Moreover, covered entities should develop written policies and procedures to guarantee the security of data, information systems, and nonpublic information accessible or held by third-party service providers.
In 23 NYCRR 500, nonpublic information is defined as electronic information that is not publicly available. It can be business-related information or customer information including social security number, driver’s license number, account number, and biometric records, among others. It may also be healthcare information.
3. Covered entities should file annual compliance certification.
In section 500.16, the regulation states that a covered entity should file annual 23 NYCRR 500 compliance certification stating that the board has reviewed the concerned firm’s cybersecurity documentation and policies. Signed and submitted by the chairman of the board or a senior officer, he said compliance requirement should be submitted yearly by February 15. All records pertaining to this certification should be maintained for at least 5 years.
4. Cybersecurity training to be provided by covered entities.
Section 500.14 broadly states the requirement of providing regular cybersecurity training for all personnel. It is also noted that training be given by qualified personnel who are familiar with technological controls for cybersecurity. Employees of covered entities must be trained to handle and resolve IT and security issues so they can help their organizations in mitigating and addressing cybersecurity risks.
5. Technology controls for cybersecurity required for use of covered entities
The NYDFS cybersecurity regulation also mentions a number of technological controls such as application security, penetration testing, vulnerability assessment, multi-factor authentication, and encryption of non-public information.
Impact of NYDFS Non-Compliance
Non-compliance to the 23 NYCRR 500 can be devastating to covered institutions. While the NYDFS does not particularly state the penalties to covered entities unable to comply with the cybersecurity regulation, what is certain is that non-compliance can lead to legal costs and settlements.
Aside from possible fines and penalties, covered entities face the risks of losing customers and dealing with fraud losses. Non-compliance may also erode the concerned institutions’ brand reputation and potentially lead to going out of business.
How to Achieve NYDFS Cybersecurity Compliance
The process starts by determining if the concerned organization is a covered entity. Refer to section 500.19 of the 23 NYCRR 500 which details the exclusions. The list of exemptions is rather short so most organizations would really have to make a plan to comply with the requirements set by the 23 NYCRR 500.
If an organization is a covered entity, the next step would be the formal appointment or hiring of a CISO who will be tasked to spearhead the establishment of a NYDFS security program. The CISO should also have the responsibilities and accountabilities discussed in the earlier parts of this post.
Cyber risk assessment is very important in the 23 NYCRR 500. It should be conducted periodically to assess the integrity, confidentiality, and security of the covered entity’s IT infrastructure.
Working With A Cybersecurity Expert
Working with a cybersecurity expert like RSI Security is a good step towards complying with the provisions stated in Section 500.09. RSI Security presents independent, unbiased, and in-depth security assessment.
RSI Security can guide covered entities through the compliance validation process to help institutions abide by the NYDFS guidelines and focus on running their businesses. RSI’s validation process is scalable for any business. The company has also worked with all sorts of organizations, from small businesses to large national chains.
Cybersecurity training is another integral component of NYDFS cybersecurity compliance which RSI security can help address. The company’s security awareness training program features a vast and diverse library of more than 400 kinds of training content such as videos, newsletter, interactive modules, and games. The firm can help covered entities in educating their employees on what to look out for like spam, malware, phishing, and spear-phishing.
Limiting access privileges to personally identifiable information must also be addressed by covered entities as stipulated by section 500.07 of the 23 NYCRR 500. RSI security can assist covered entities in implementing security protocols in compliance with this regulation. Concerned entities may be able to manage access privileges through RSI solutions such as multi-factor authentication, identity management assessment, and implementation integration.
The quest to achieve NYDFS cybersecurity compliance should not be a lonely and grueling one. RSI Security can guide covered entities with the information and guidance necessary to start their compliance journey with 23 NYCRR 500.
As one of the top cybersecurity and compliance providers in the country, RSI Security is dedicated to assisting organizations to comply with applicable regulation such as the NYDFS cybersecurity.
RSI Security can help covered entities get through the process of achieving NYDFS security compliance so they can enjoy the peace of mind of having secure data and avoid devastating consequences. Learn more about how RSI Security can assist in NYDFS compliance and cybersecurity solutions.