What is the NYDFS Cybersecurity Regulation?
The NYDFS Cybersecurity Regulation – also referred to as 23 NYCRR 500 – is a set of regulations that are considered as cybersecurity best practices for financial institutions. It is a set of rules that imposes new and stricter cybersecurity requirements on organizations, especially financial institutions.
These regulations cover all individuals or agencies that are DFS-regulated through a license under insurance firms, state-owned chartered banks, private bankers, mortgage firms, licensed lenders, as well as foreign banks operating in New York.
Also, the regulation applies to unregulated third-party service providers that work with regulated entities. These regulations are aimed at foiling cyber attacks by setting minimum standards in cybersecurity and promoting strong governance in concerned institutions. It also aims to recognize and mitigate cybersecurity risks directed at financial institutions. The regulation, which is regarded as the first law of its kind to be enforced at the state level, was approved by the NYDFS on March 1, 2017, after a series of deliberations with the financial services industry.
NYDFS cybersecurity checklist requires all financial institutions operating in New York to adopt and implement a detailed framework to enhance an organization’s cybersecurity plan, enact a comprehensive cybersecurity policy, and also launch and maintain an ongoing reporting platform for cybersecurity events. The regulation is considered to have ripple effects on not just cybersecurity practices for financial institutions in the United States but also worldwide.
It is approved as cybersecurity best practices for financial institutions. Putting into consideration the ever-growing cybersecurity threats to the financial systems, implementation of the 23 NYCRR 500 ensures that businesses will be able to secure customer data and financial information of their organization against cyber attacks. The 23 NYCRR 500 is compared with the General Data Protection Regulation (GDPR) of the European Union (EU) that requires enterprises to secure the personal data of EU citizens for any online financial transaction occurring within EU member-states.
The approval and enforcement of the NYDFS cybersecurity regulation are of high importance to the financial sector of New York, which is home to many of the top local and foreign financial organizations. Check out our NYDFS cybersecurity checklist to see if you are meeting all compliance rules and guidelines.
Who Does The 23 NYCRR 500 Cover?
The 2017 NYDFS cybersecurity checklist covers only organizations regulated by the Department of Financial Services (DFS). Such organizations are regulated through a license, certificate, charter, certificate, accreditation, or permit.
- Trust companies.
- State-owned chartered banks.
- Mortgage firms.
- Licensed lenders.
- Private bankers.
- Service contract providers.
- Insurance companies operating in New York State.
- Non-United States banks that have a license to operate in New York.
- Or any third-party service providers.
However, there are some exemptions to this regulation.
Who Does The 23 NYCRR 500 Not Cover?
Excused from this cybersecurity regulation are the following firms:
- Organizations employing less than 10 staff.
- Organizations whose annual gross annual revenue is not more than $5 million from their New York operations three years before the implementation of the regulation.
- Companies with year-end total assets less than $10 million.
- Charitable organizations/foreign risk groups that operate in New York
Consequences Of NYDFS Non-Compliance
Non-compliance to the 23 NYCRR 500 can have devastating effects on institutions. While the NYDFS does not particularly state penalties to be given to institutions unable to comply with the cybersecurity regulation, other consequences are certain, such as legal suit costs and settlements of customers. Non-compliance may damage the reputation of the institution involved and potentially make it go out of business. Apart from possible fines and penalties, non-covered entities face the risk of losing business customers.
NYDFS Cybersecurity Checklist
The 23 NYCRR 500 regulatory standards and rules are designed to ensure cybersecurity and prevent organizations’ data breaches. The regulation has 23 sections with detailed requirements. Below are some of the main provisions, but a more extensive list can be found here.
1. Cyber Security Program (Section 500.02)
It states that covered entities must establish a cybersecurity program. The program is to be based on periodical risk assessments and monitoring meant to swiftly identify and manage risks. The cybersecurity program is to effectively protect information systems and non-public information. The program is also to appropriately respond to and recover from cybercrime events. All documents pertaining to the program should be made readily available upon request by the Superintendent of Financial Services.
2. Chief Information Security Officer (Section 500.04)
Apart from this requirement, covered entities are to appoint a Chief Information Security Officer (CISO) who will oversee and implement the cybersecurity regulations. The CISO should be a cybersecurity specialist who may be outsourced through an affiliate or a third party. The chief information security officer is also to report the cybersecurity policies and implementation process to senior management.
3. Penetration Testing and Vulnerability Management (Section 500.05)
To have a realistic look at how cybercriminals exploit IT vulnerabilities and create actionable ways to stop them, Penetration Testing is key. Apart from conducting several penetration tests regularly, cybersecurity experts on your organization’s team should be aware of the latest security information, understand constantly evolving cybercrime and learn the latest techniques to recognize and fight against cyber threats.
4. Audit Trail (Section 500.06)
Securely systems and databases by reconstructing all transactions following a cybersecurity breach. Also, audit trails of cybercriminals left behind to detect and respond to cybersecurity events. At least, maintain audit trail records for 3 years.
5. Risk Assessments (Section 500.09)
Institutions should conduct bi-annual, documented and periodic risk assessments to consider threats and current control levels in relation to identifying security risk.
6. Cybersecurity Personnel and Intelligence (Section 500.10)
Employ the services of a qualified chief cybersecurity officer or a third-party service provider to manage an institution’s risks. Such personnel should oversee the performance of the organization’s essential cybersecurity strategies.
Covered entities should create written procedures to protect the security of data and non-public information accessible to a third-party. Nonpublic information can be organization-related data or customer data including bank account number, biometric record or even social security number, and driver’s license number.
7. Multi-Factor Authentication (Section 500.12)
In order to ensure unauthorized access to Nonpublic Information, the use of Multi-Factor Authentication I.e more than one method of verifying a user identity is required for any individual accessing the internal information from an external source. Multi-Factor authentication is specifically designed to make unauthorized access to a database very difficult.
8. Training and Monitoring (Section 500.14)
It is highly required that institutions should provide regular cybersecurity training for all its personnel. It is also stated that training should be given by a professional information and cybersecurity expert, who is familiar with the evolving cybercrime space. Employees should be trained to attend to and resolve basic information technology and security issues. This is so they can help the organization in mitigating cybersecurity breaches and risks.
9. Encryption of Nonpublic Information (500.15)
All covered entities must start encryption controls based on the risk assessment (Section 500.09), which seeks to secure Nonpublic Information held or transmitted over external systems. Encrypted controls must be reviewed and approved by assigned CISO regularly.
10. Annual Compliance Certification (section 500.16)
The regulation states that a covered entity should file an annual 23 NYCRR 500 compliance certification indicating that the board has reviewed the firm’s cybersecurity policies, implementation plan, and documentation.
Cybersecurity is now so important to the progress of every company all around the world. The NYDFS checklist already shows just how much companies stand to lose if they do not comply with the regulations. Although cybercrime is on the increase, thankfully, this checklist helps to curb the activities of cybercriminals. However, without the help of a cybersecurity officer, implementation of the regulations may cost more time and resources. To receive assistance with cybersecurity operations and to learn more about the NYDFS cybersecurity requirements, contact RSI Security today.