The NYDFS Cybersecurity Regulation (23 NYCRR Part 500) is a set of regulations from the New York State Department of Financial Services (NYDFS) that places cybersecurity requirements on all Covered Entities (financial institutions and financial services companies). It includes 23 sections outlining requirements for developing and implementing an entity’s cybersecurity program, requiring Covered Entities to assess their cybersecurity risk and develop a plan to proactively address them.
Most agree that cyber attacks are a growing threat and more needs to be done in terms of regulation and legal controls to help protect our sensitive data and personally identifiable information (PII). However, New York's proposal garnered mixed reviews and drew criticism, with some arguing the proposed regulations were too stringent and prescriptive.
On February 16, 2017, The NYDFS Cybersecurity Regulation was released after two rounds of industry and public feedback, including a phased implementation process with four distinct phases to give organizations time to implement more robust policies and controls.
In Gov. Cuomo’s words: "This regulation helps guarantee the financial services industry upholds its obligation to protect consumers and ensure that its systems are sufficiently constructed to prevent cyber attacks to the fullest extent possible."
Which organizations must comply with NYDFS Cybersecurity Regulation?
The NYDFS Cybersecurity Regulation applies to all entities operating or required to operate under DFS licensure, registration, charter, or who are otherwise DFS-regulated, as well as their third-party vendors and service providers. Examples of covered entities include:
- State-chartered banks
- Licensed lenders
- Private bankers
- Foreign banks licensed to operate in New York
- Mortgage companies
- Insurance companies
- Service providers
There are limited exemptions to the NYDFS Cybersecurity Regulation, namely organizations that employ less than 10 people, produce less than $5 million in gross annual revenue from New York operations in each of the past three years, or hold less than $10 million in year-end total assets.
What are the key components of the NYDFS Cybersecurity Regulation?
The initial phase of the NYDFS Cybersecurity Regulation came into effect on February 18, 2018, and requires Covered Entities to develop a cybersecurity policy, including an incident response plan that includes data breach notifications within 72 hours. The policy must align with industry best practices and ISO 27001 standards by covering:
- Information security
- Access controls and identity management
- Business continuity and disaster recovery planning
- Capacity and performance planning
- Security of information systems, operations, and availability
- Systems and network security
- Systems and application development and quality assurance
- Periodic risk assessments
The second phase went into effect on March 1, 2018, and requires Chief Information Security Officers (CISOs) to prepare an annual report that includes:
- The organization's cybersecurity policies and procedures
- Cybersecurity risks
- Effectiveness of current cybersecurity measures and remediation processes
Phase three went into effect on September 3, 2018, requiring Covered Entities to have a comprehensive cybersecurity program in place that aligns with the NIST Cybersecurity Framework by:
- Continuously evaluating vulnerabilities and proactively responding to cyber threats
- Maintaining an audit trail reflecting threat detection and risk-based response activities
- Writing documentation, e.g. an information security policy, of procedures, standards, and guidelines for in-house applications and evaluating third-party applications
- Detailing data retention policy documentation, including how non-public personally identifiable information (PII) is disposed of
- Investing in data security controls like data encryption, data governance, and data protection, as well as other security controls
- Creating the defensive infrastructure that safeguards covered information and asset inventory
- Detecting cybersecurity events such as data breaches
- Restoring normal operations and services after a cybersecurity event
The final phase went into effect on March 1, 2019, requiring Covered Entities to finalize their vendor management policies regarding third-party vendors who are given permissions to access systems and files covered by the new regulation. Covered Entities must develop a written policy for vendor risk management that details:
- A third-party risk assessment framework
- The Covered Entity's minimum security requirements for third-party vendors, e.g. every vendor must have SOC 2 assurance
- A vendor risk assessment questionnaire template and due diligence process that details how to evaluate the effectiveness of a third party's security practices
- Periodic assessment of third-party policies and controls
Learn how to comply with the Third-Party Risk Management requirements of NY CRR 500.
Additional requirements include:
- Use of qualified, continuously trained cybersecurity personnel to manage evolving cyber threats and to provide mandatory, ongoing cybersecurity education and training
- Notification of any cybersecurity events that carry a reasonable likelihood of causing material harm, e.g. data breaches and data leaks to external networks
- Usage of the principle of least privilege to minimize this risk of certain types of privilege escalation attacks
- Covered Entities must employ multi-factor authentication for all inbound connections to their network
- Penetration testing
Covered Entities and regulated entities must complete an annual certification process that requires their board of directors to review the organization's cybersecurity program and provide a Certification of Compliance with the NYDFS Cybersecurity Regulation.
Learn the difference between a regulation and a cyber framework >
2024 updates to the NYDFS Cybersecurity Regulation
By November 1, organizations under the NYDFS jurisdiction, including banks, must meet updated cybersecurity requirements. These updates aim to enhance the cybersecurity framework for financial services companies, addressing increasing cyber threats and protecting sensitive information. Newly updated requirements include:
- Enhanced Governance and Reporting: The Chief Information Security Officer (CISO) must report material cybersecurity issues, including significant cybersecurity incidents and changes in the cybersecurity program, to the senior governing body or officers.
- Senior Officer Oversight: The senior governing body must actively oversee cybersecurity practices, stay informed about cybersecurity threats, and review regular management reports.
- Data Encryption Standards: Organizations must implement a written policy mandating encryption that meets industry standards to protect nonpublic information and customer data. Alternatives for data at rest are allowed if the CISO approves them in writing.
- Incident Response Plan Updates: The updated plan should include steps for responding to cybersecurity events, recovery from backups, and conducting a root cause analysis post-incident.
- Business Continuity and Disaster Recovery: Organizations must maintain a disaster recovery plan with backups to ensure the restoration of critical operations and train employees on their roles in these plans. The incident response plan, disaster recovery plan, and backup systems must be tested at least annually.
- What are the penalties for not complying with the New York Cybersecurity Regulations?
One frustrating aspect for Covered Entities is that the New York Department of Financial Services has not clearly communicated what will result from noncompliance. It has simply stated that fines for noncompliance will be calculated and no fines have been imposed.
That said, the regulation is now in full force and violations will have fines imposed soon.
A guide to complying with the NYDFS Cybersecurity Regulation
As the NYDFS Cybersecurity Regulation is in full effect, organizations need to comply with all practices outlined above, including appointing a CISO, doing period risk assessments, maintaining a cybersecurity program that aligns with the NIST Cybersecurity Framework, as well as investing in third-party risk and fourth-party risk management programs.
Organizations should:
- Assess whether they are classified as covered
- Assemble a team under the CISO that is responsible for the day-to-day management of compliance with the NYDFS Cybersecurity Regulation
- Understand their risk profile and conduct periodic risk assessments to identify cyber threats and vulnerability management, a great way to do this is to use continuous security rating software
- Invest in Vendor Risk Management
- Read the NYDFS Cybersecurity Regulation FAQs
Learn how to comply with the third-party risk requirements of the NY SHIELD Act.
Conclusion
In a further demonstration of how critical risk assessment is, the Department explicitly reiterated that compliance with various provisions will be dependent on Section 500.9 Risk Assessment. The affected requirements include the Cybersecurity Program, Cybersecurity Policy, (annual) Penetration Testing and (biannual) Vulnerability Assessments, Access Privileges, Third Party Service Provider Security Policy, Multi-Factor Authentication, Encryption of Nonpublic Information and Training and Monitoring.
In evaluating Covered Entities, DFS is unequivocal that "Risk Assessment is not intended to permit a cost-benefit analysis of acceptable losses where an institution is faced with cybersecurity risks.” Therefore, the integrity of an organization’s risk assessment is the central tenet for compliance with 23 NYCRR 500. As pointed out in our first webinar, internal and external assessments are essential for effective compliance.
In spite of concerns that certain definitions were too broad and could be overly burdensome to comply with, DFS chose to retain some in their present form - Cybersecurity Event, Information System, Publicly Available Information–while Nonpublic Information and Risk Assessment were altered and added. It is especially noteworthy that the definition of "Cybersecurity Event" is unchanged, as any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt, or misuse an Information System or information stored on such Information System. Companies are required to not only be able to detect, evaluate, document, respond, and recover from such events but also have to notify New York’s Superintendent of Financial Services within 72 hours after determination.
Like GDPR, 23 NYCRR 500 is a welcome regulation for those who are concerned with protecting sensitive data and improving global cyber resilience.
