On March 1, 2017, the New York Department of Financial Services (DFS) implemented a 23NYCRR 500. The purpose of this financial services law was to place regulatory obligations on banks, insurance providers, and other financial service providers (with limited exemptions) to assess their cybersecurity risk portfolio. The rule extended to other agencies in the financial services industry as well as branches of any non-US banking institution licensed to operate in the state of New York.
What is the NYDFS Cybersecurity Regulation?
The NYDFS Cybersecurity Regulation, also known as 23 NYCRR 500, is a regulation from the New York Department of Finance that defines the cybersecurity and information systems and nonpublic information protocols that every banking and financial institution in New York State must follow.
The NYDFS’ 23 NCRR 500 ensures the protection of consumers by ensuring the soundness and safety of the financial institution itself. From that day onward, all financial entities falling under the umbrella of this regulation are lawfully obligated to implement a comprehensive cyber security program and maintain it according to the latest compliance guidelines.
The rules first came out in February 2017, and after a couple of revisions after receiving feedback from the general public as well as the industry, it was finally released in March 2017. The regulation includes 23 sections stating the requirements for not only developing but also implementing a foolproof cybersecurity system.
The regulation requires banks and any type of financial service providers to assess their existing cyber security infrastructure and eliminate all cybersecurity risks by developing a security plan. This cybersecurity regulation by the New York Department of Financial Services includes a phased implementation process. This set of regulations allows financial institutions to implement more robust cybersecurity policies.
What Are the Key Components for the NYDFS Cybersecurity Regulation?
The NYDFS Cybersecurity Regulation focuses on imposing strict cybersecurity protocols on all organizations covered by the law. This includes:
- Installation of a comprehensive cybersecurity plan with access privileges for authorized users
- Designating a CISO, i.e., Chief Information Security Officer
- Accurate implementation and enactment of the cybersecurity policy with periodic risk assessments
- Ongoing maintenance of a reporting system that is continuously recording all cybersecurity events.
What is the scope of the NYDFS cybersecurity regulation?
Here is the full scope of what NYDFS cybersecurity regulation expects from all covered financial institutions.
Apart from the aforementioned requirements, financial institutions must also align their cybersecurity and incident response plan with the NIST cybersecurity framework, which includes:
- Identifying all internal and external cybersecurity risks and threats
- Using a system that can detect a cybersecurity event as and when it occurs
- Implementing a defensive infrastructure to prevent the organization from cyber-attacks under normal operations
The annual penetration testing of the regulated entities’ information systems is decided each year based on the risk assessment’s relevant network security risks.
- Responding to detected cybersecurity threats, including unauthorized access
- Protocols of recovering from a cybersecurity event
- Maintaining a certification of compliance with the reporting protocol and calendar year
A Comprehensive Cybersecurity Program
Banking and other financial organizations must develop and implement an extensive cybersecurity program addressing several areas, such as protocols for threat detection and adequate response. The written policy document must contain standards, guidelines, and procedures for the organization’s application and evaluation of any third-party solutions.
The policy must also detail data privacy and data retention protocols, including disposal of customers’ personal non-public information. The security measures such as robust security control and data encryption are also an integral component of a policy as per 23 NYCRR 500.
Designing a Cybersecurity Policy
The New York State Department of Financial Services cybersecurity regulation outlines the best practices when it comes to designing a cybersecurity policy that also aligns with is ISO 27001 standards. Therefore, a cybersecurity policy must entail the following:
- Implementing access controls
- Implementing application security controls
- Setting up a recovery plan in case of a cyber-attack
- Developing and deploying network and system security
- Ensure consumers’ data privacy and protection
- Regular vulnerability assessment
- Implementing a foolproof information security plan
Covered Entities are Facing New Cyber Threats
The NYDFS Cybersecurity Regulation has several obligations that go above and beyond industry best practices. The following are the most notable:
- Data encryption: Organizations must enact controls, including encryption of sensitive data, depending on the outcome of a risk assessment.
- Annual certification: To ensure compliance with the requirements, covered companies must undergo certification every year.
- Enhanced multi-factor authentication: For all incoming connections to the entity’s network, covered institutions must use multi-factor authentication.
- All cybersecurity occurrences must be documented and reported by covered businesses.
Third-Party Evaluation Protocols
The main organization hiring third-party solution providers must also have protocols in place to assess third-party applications and security measures. Therefore, the covered institution hiring a third party must develop a written policy about assessment of third-party evaluation just like the in-house protocol.
In simple terms, the hiring organization will be responsible for ensuring that the third-party solution or service provider is compliant with the NYDFS Cybersecurity Regulation. This document must contain all the requirements that the hiring financial organization the third-party to fulfill to come onboard. The covered entity’s cybersecurity program must follow proper data governance, customer data privacy, data protection, identity management, and other due diligence measures.
The evaluation protocols must also state the criteria to gauge the effectiveness of third-party security practices.
It will be the responsibility of hiring institutions and the board of directors to conduct periodic risk assessments of all third parties’ policies and controls.
Every bank, lender, insurance provider, and any other type of financial service provider must produce an annual report containing details about the cybersecurity procedures and policies of the organization. The report must also identify the security risks faced by the organization.
Last but not least, it must also mention how effective the organization’s current cybersecurity measures are in the transitional period. Other requirements for reporting include details of continuous vulnerability assessments.
Who Are Covered Entities Under the NYDFS Cybersecurity Regulation?
The New York Department of Financial Services can exercise authority over all the banks, insurance service providers, and financial institutions in the state of New York. However, here is a full list of entities that fall under the umbrella of NYDFS cybersecurity regulation:
- Traditional banks
- Private banking institutions
- Licensed Private lenders
- Mortgage brokers
- Life insurance companies
- Health insurance and other insurance companies
- Investment service providers
- Credit Unions
- Savings associations
- Branches of foreign banks operating in New York
Companies Exempted from 23 NYCRR 500
Some companies enjoy exemption from the 23 NYCRR 500 if:
- They employ less than 10 people, including independent contractors.
- Has gross annual revenue of less than $5,000,000 for the last 3 fiscal years from its New York Operation. This means, if a financial institution operates in multiple states, it does not matter how much its total gross revenue is.
- If the revenue in New York is less than the aforementioned amount, the organization is exempt from fulfilling the NYDFS cybersecurity protocol.
- Has a total asset of less than $10,000,000 at each year-end. The assets calculation is according to the general accounting principle for assets.
- Does not store or process non-public information of the customer
What Must Covered Entities Do?
All covered financial institutions and entities must not only abide by the regulations but also deploy certain measures. These are the cybersecurity requirements for financial services companies and other covered entities:
- Implement controls and practice them, including encryption of customers’ sensitive data
- Complete annual certifications to confirm their status of compliance with NYDFS cybersecurity regulations
- Implement security measures such as multi-factor authentication when it comes to inbound connections with the organization’s network.
- Record and report all cyber-attacks, data breaches, and other cybersecurity events. The entities must maintain this record for 5 years.
- Conduct periodic risk assessments and assess the integrity, confidentially, and security of its IT infrastructure.
- Set limits on data retention by developing procedures for secure disposal of information is no longer required by the organization for its operations.
- Limit privilege of access and periodically review these privileges
- Send a notice to the superintendent, i.e., sending a notification to NYDFS within 72 hours of detecting a cybersecurity event or cyber-attack
What are the Penalties for Not Complying With the NYDFS Cybersecurity Regulations?
There are no defined guidelines on the penalties and fines for non-compliance or violation of NYDFS cybersecurity regulations. However, authorities will calculate the violations and decide the penalty amount for each case. For instance, NYDFS issued a $1.8 million penalty to First Unum Life Insurance service company for non-compliance of 23 NYCRR 500.
NYDFS may also make the details of violation, penalty, and other consequences public information as well.
Any organization that requires a license to provide financial services will typically have to abide by the NYDFS cybersecurity regulations. The organizations must also hire trained and qualified cybersecurity personnel to design and implement adequate cybersecurity measures against risk and threats.
However, these do not need to be in-house employees. An organization can always hire a third-party service provider with expertise in providing cybersecurity solutions. The organization must conduct periodic risk assessments of its own and any third-party contractors’ cybersecurity system and network.
If there is a cyber-attack or threat detected, the organization must notify the New York Department of Financial Services. The event report must carry details of how likely the incident will cause material damage.
If you are a licensed financial institution wanting to stay compliant with 23 HYCRR 500 by NYDFS, Iron Range Cyber can help. We are an MSSP (Managed Security Services Provider) focused on providing affordable cybersecurity technology to small and midsize companies. Please speak to our team of experts for a solution that fits your business needs and budget.