X
X

Find Your Specialist

X

Contact Us

Go Back

Complying with New York’s Cybersecurity Regulation (23NYCRR 500): What Financial Services Firms Need to Know

With the growing potential impact of cybercrime on financial service entities, the New York Department of Financial Services (NYDFS) responded by implementing new regulation regarding cybersecurity requirements for financial institutions under DFS regulation. This New York Department of Financial Services regulation is commonly referred to as NYDFS 500. As of February 2018, covered entities must submit an annual Certificate of Compliance attesting to their cybersecurity program. Failure to certify exposes the entity to a “substantive deficiency,” punitive sanctions, and/or legal and compliance risk, all of which could negatively impact both a financial service entity’s reputation and financial results.

Who must comply?

NYDFS 500 requirements cover entities operating within the state of New York, that fall under the regulation of the DFS, including banks, insurance companies, mortgage companies, service providers and other financial institutions.

While NYDFS 500 outlines criteria under which some entities may be exempt or partially exempt, financial service entities are still required to file for that exemption. Exemptions are typically for smaller entities such as those with fewer than 10 employees or less than $10 million in total assets, certain captive insurers, and others.

“It is critical for all regulated institutions that have not yet done so to move swiftly and urgently to adopt a cybersecurity program…
The number of cyber events has been steadily increasing and estimates of potential risk to our financial services industry are stark.”

– Introduction to 23 NYCRR 500.0, New York Department of Financial Services

What are the requirements?

The cybersecurity components mandated by NYDFS 500 are largely best practices, policy and procedures. While many institutions have some version of these due to SOX or other compliance requirements, others may find some aspects of regulation to be new territory, such as encryption of nonpublic information. Others may have some, but not all, of the requirements operating effectively such as the newest requirements of identification and risk assessment of third-party service providers.

Components of NYDFS 500

Cybersecurity Program
  • Cybersecurity Policy
  • CISO
  • Penetration Testing / Vulnerability Assessments
  • Audit Trail
  • Access Privileges
  • Application Security
  • Risk Assessment
  • Cyber Personnel
  • Third Party Policy
  • Multi-Factor Authentication
  • Data Retention
  • Training & Monitoring
  • Encryption
  • Incident Response Plan

Four Phases of NYDFS 500

To assist Covered Entities with implementation, the regulations became effective through four phases, summarized below.

Phase One: Cybersecurity Policy Design

Effective February 15, 2018

Prepare and uphold a Cybersecurity Policy to address:

  • Information security
  • Data governance & classification
  • User access controls
  • BCP / DRP
  • Network security & monitoring
  • System operations & availability
  • Physical security
  • Customer data privacy
  • Regular risk assessment
  • Incident response

Phase Two: Reporting Procedures

Effective March 1, 2018

Each Covered Entity must designate a CISO who shall report annually to the entity’s Board or equivalent the following:

    • Confidentiality of stored information
    • Integrity & Security of the entity’s systems
    • Cybersecurity policies and procedures
    • Material cybersecurity risks
    • Cybersecurity program’s effectiveness
  • Material cybersecurity events during the period of time covered by the report

Phase Three: Program Development

Effective September 3, 2018

Implement a Cybersecurity Program (based on Risk Assessment) to address:

  • Confidentiality, Integrity and Availability of the entity’s information systems
  • An audit trail detailing cybersecurity events
  • In-house and third-party application Procedures
  • Data Retention/Disposal Policy
  • Encryption
  • Multi-factor authentication
  • Incident Response Plan
  • Training & Monitoring

Phase Four: Third-Party Security

Effective March 1, 2019

Prepare and uphold a Third-Party Service Provider Security Policy and Procedures to address:

  • Identification and risk assessment of third-party service providers
  • Minimum cybersecurity policies and practices required by Entity of third-party service providers
  • Due-diligence process and procedures for evaluation of third-parties

Risk-based periodic assessments of third-party providers

Who Submits Certification?

NYDFS 500 instructs a Covered Entity’s Board of Directors or Senior Officer must sign the certification.A “Senior Officer” is defined as “the senior individual or individuals (acting collectively or as a committee) responsible for the management, operations, security, information systems, compliance and/or risk of a Covered Entity.” For most entities the Chief Information Security officer (CISO) would be the most appropriate officer.

Need Help?

If your organization needs help preparing, assessing or remediating regulatory requirements to reach NYDFS 500 certification, the Process, Risk & Governance team at Frazier & Deeter can help. Our team includes highly experienced individuals with relevant professional designations and former financial institution and insurance company compliance executives, who understand the unique issues and requirements within financial services.

Privacy Overview

When you use or access the Site, we use cookies, device identifiers, and similar technologies such as pixels, web beacons, and local storage to collect information about how you use the Site. We process the information collected through such technologies, which may include Personal Information, to help operate certain features of the Site (e.g., to prevent online poll participants from voting more than once), to enhance your experience through personalization, and to help us better understand the features of the Site that you and other users are most interested in.

You can enable or disable our use of cookies per category.

When you use or access the Site, we use cookies, device identifiers, and similar technologies such as pixels, web beacons, and local storage to collect information about how you use the Site. We process the information collected through such technologies, which may include Personal Information, to help operate certain features of the Site (e.g., to prevent online poll participants from voting more than once), to enhance your experience through personalization, and to help us better understand the features of the Site that you and other users are most interested in.

You can enable or disable our use of cookies per category.

Necessary Always Enabled

Essential cookies enable you to navigate our Site and use certain features, such as accessing secure areas of our Site and using other features of our service that require us to keep track of certain information as you navigate from page to page. Although some of these cookies are “required” to enable certain functionality, you can disable them in the browser, but doing so will limit your ability to use the features supported by such cookies.

Functionality cookies are cookies that support features of the Site, such as remembering your preferences.

These cookies collect information about how you use our Site, including which pages you go to most often and if they receive error messages from certain pages. These cookies are only used to improve how our Site functions and performs.

From time-to-time, we may engage third parties that track individuals who visit our Site. These third parties may track your use of the Site for purposes of providing us with certain marketing automation features (to help us improve our outreach to current and prospective clients) and providing you with targeted advertisements.