The NYDFS Cybersecurity Regulation (23 NYCRR 500) is a set of regulations from the New York State Department of Financial Services (NYDFS) that places cybersecurity requirements on all Covered Entities (financial institutions and financial services companies). It includes 23 sections outlining requirements for developing and implementing an effective cybersecurity program, requiring Covered Entities to assess their cybersecurity risk and develop a plan to proactively address them.
Most agree that cyber attacks are a growing threat and more needs to be done in terms of regulation and legal controls to help protect our sensitive data and personally identifiable information (PII). However, New York's proposal garnered mixed reviews and drew criticism, with some arguing the proposed regulations were too stringent and prescriptive.
On February 16, 2017, The NYDFS Cybersecurity Regulation was released after two rounds of industry and public feedback, including a phased implementation process with four distinct phases to give organizations time to implement more robust policies and controls.
In Gov. Cuomo’s words: "This regulation helps guarantee the financial services industry upholds its obligation to protect consumers and ensure that its systems are sufficiently constructed to prevent cyber attacks to the fullest extent possible."
Who are Covered Entities Under the NYDFS Cybersecurity Regulation?
The NYDFS Cybersecurity Regulation applies to all entities operating or required to operate under DFS licensure, registration, charter or who are otherwise DFS-regulated, as well as their third-party vendors and service providers. Examples of covered entities include:
- State-chartered banks
- Licensed lenders
- Private bankers
- Foreign banks licensed to operate in New York
- Mortgage companies
- Insurance companies
- Service providers
There are limited exemptions to the NYDFS Cybersecurity Regulation, namely organizations who employ less than 10 people, produced less than $5 million in gross annual revenue from New York operations in each of the past three years, or hold less than $10 million in year-end total assets.
What are the Key Components for the NYDFS Cybersecurity Regulation?
The initial phase of the NYDFS Cybersecurity Regulation came into effect on February 18, 2018 and requires Covered Entities to develop a cybersecurity policy, including an incident response plan that includes data breach notifications within 72 hours. The policy must align with industry best practices and ISO 27001 standards by covering:
- Information security
- Access controls and identity management
- Business continuity and disaster recovery planning
- Capacity and performance planning
- Security of information systems, operations and availability
- Systems and network security
- Systems and application development and quality assurance
- Periodic risk assessments
The second phase went into effect on March 1, 2018 and requires Chief Information Security Officers (CISOs) to prepare an annual report that includes:
- The organization's cybersecurity policies and procedures
- Cybersecurity risks
- Effectiveness of current cybersecurity measures
Phase three went into effect on September 3, 2018 requiring Covered Entities to have a comprehensive cybersecurity program in place that contains aligns with the NIST Cybersecurity Framework by:
- Continuously evaluating vulnerabilities and proactively responding to cyber threats
- Maintaining an audit trail reflecting threat detection and response activities
- Writing documentation, e.g. an information security policy, of procedures, standards and guidelines for in-house applications and evaluating third-party applications
- Detailing data retention policy documentation, including how non-public personally identifiable information (PII) is disposed of
- Investing in data security controls like data encryption, data governance and data protection, as well as other security controls
- Creating defensive infrastructure to protect covered information
- Detecting cybersecurity events such as data breaches
- Restoring normal operations and services after a cybersecurity event
The final phase went into effect on March 1, 2019 and requiring Covered Entities to finalize their vendor management policies regarding third-party vendors who are given permissions to access systems and files covered by the new regulation. Covered Entities must develop a written policy for vendor risk management that details:
- A third-party risk assessment framework
- The Covered Entity's minimum security requirements for third-party vendors, e.g. every vendor must have SOC 2 assurance
- A vendor risk assessment questionnaire template and due diligence process that details how to evaluate the effectiveness of a third-party's security practices
- Periodic assessment of third-party policies and controls
Learn how to comply with the Third-Party Risk Management requirements of NY CRR 500.
Additional requirements include:
- Use of qualified, continuously trained cybersecurity personnel to manage evolving cyber threats and to provide mandatory, ongoing cybersecurity education and training
- Notification of any cybersecurity events that carry a reasonable likelihood of causing material harm, e.g. data breaches and data leaks
- Usage of the principle of least privilege to minimize this risk of certain types of privilege escalation attacks
- Covered Entities must employ multi-factor authentication for all inbound connections to their network
- Penetration testing
Covered Entities and regulated entities must complete an annual certification process requires their board of directors to review the organization's cybersecurity program and provide a Certification of Compliance with the NYDFS Cybersecurity Regulation.
Learn the difference bewteen a regulation and a cyber framework >
What are the Penalties for Not Complying With the New York Cybersecurity Regulations?
One frustrating aspect for Covered Entities is that the New York Department of Financial Services has not clearly communicated what will result from noncompliance. It has simply stated that fines for noncompliance will be calculated and no fines have been imposed.
That said, the regulation is now in full force and violations will have fines imposed soon.
How to Comply With the NYDFS Cybersecurity Regulation
As the NYDFS Cybersecurity Regulation is in full effect, organizations need to comply with all practices outline above, including appointing a CISO, doing period risk assessments, maintaining a cybersecurity program that aligns with the NIST Cybersecurity Framework, as well as investing in third-party risk and fourth-party risk management programs.
- Assess whether they are classified as covered
- Assemble a team under the CISO that is responsible for the day-to-day management of compliance with the NYDFS Cybersecurity Regulation
- Understand their risk profile and conduct periodic risk assessments to identify cyber threats and vulnerabilities, a great way to do this is to use continuous security rating software
- Invest in vendor risk management
- Read the NYDFS Cybersecurity Regulation FAQs
Learn how to comply with the third-party risk requirements of the NY SHIELD Act.
In a further demonstration of how critical risk assessment is, the Department explicitly reiterated that compliance with various provisions will be dependent on Section 500.9 Risk Assessment. The affected requirements include the Cybersecurity Program, Cybersecurity Policy, (annual) Penetration Testing and (biannual) Vulnerability Assessments, Access Privileges, Third Party Service Provider Security Policy, Multi-Factor Authentication, Encryption of Nonpublic Information and Training and Monitoring. In evaluating Covered Entities, DFS is unequivocal that "Risk Assessment is not intended to permit a cost-benefit analysis of acceptable losses where an institution is faced with cybersecurity risks.” Therefore, the integrity of an organization’s risk assessment is the central tenet for compliance with 23 NYCRR 500. As pointed out in our first webinar, internal and external assessments are essential for effective compliance.
In spite of concerns that certain definitions were too broad and could be overly burdensome to comply with, DFS chose to retain some in their present form - Cybersecurity Event, Information System, Publicly Available Information - while Nonpublic Information and Risk Assessment were altered and added. It is especially noteworthy that the definition of "Cybersecurity Event" is unchanged, as any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an Information System or information stored on such Information System. Companies are required to not only be able to detect, evaluate, document, respond and recover from such events but also have to notify New York’s Superintendent of Financial Services within 72 hours after determination.
Like GDPR, 23 NYCRR 500 is a welcome regulation for those who are concerned with protecting sensitive data and improving global cyber resilience.