With the growing potential impact of cybercrime on financial service entities, the New York Department of Financial Services (NYDFS) responded by implementing new regulation regarding cybersecurity requirements for financial institutions under DFS regulation. This New York Department of Financial Services regulation is commonly referred to as NYDFS 500. As of February 2018, covered entities must submit an annual Certificate of Compliance attesting to their cybersecurity program. Failure to certify exposes the entity to a “substantive deficiency,” punitive sanctions, and/or legal and compliance risk, all of which could negatively impact both a financial service entity’s reputation and financial results.
Who must comply?
|NYDFS 500 requirements cover entities operating within the state of New York, that fall under the regulation of the DFS, including banks, insurance companies, mortgage companies, service providers and other financial institutions.
While NYDFS 500 outlines criteria under which some entities may be exempt or partially exempt, financial service entities are still required to file for that exemption. Exemptions are typically for smaller entities such as those with fewer than 10 employees or less than $10 million in total assets, certain captive insurers, and others.
“It is critical for all regulated institutions that have not yet done so to move swiftly and urgently to adopt a cybersecurity program…
The number of cyber events has been steadily increasing and estimates of potential risk to our financial services industry are stark.”
– Introduction to 23 NYCRR 500.0, New York Department of Financial Services
What are the requirements?
The cybersecurity components mandated by NYDFS 500 are largely best practices, policy and procedures. While many institutions have some version of these due to SOX or other compliance requirements, others may find some aspects of regulation to be new territory, such as encryption of nonpublic information. Others may have some, but not all, of the requirements operating effectively such as the newest requirements of identification and risk assessment of third-party service providers.
Components of NYDFS 500
Four Phases of NYDFS 500
To assist Covered Entities with implementation, the regulations became effective through four phases, summarized below.
Phase One: Cybersecurity Policy Design
Effective February 15, 2018
Prepare and uphold a Cybersecurity Policy to address:
Phase Two: Reporting Procedures
Effective March 1, 2018
Each Covered Entity must designate a CISO who shall report annually to the entity’s Board or equivalent the following:
Phase Three: Program Development
Effective September 3, 2018
Implement a Cybersecurity Program (based on Risk Assessment) to address:
Phase Four: Third-Party Security
Effective March 1, 2019
Prepare and uphold a Third-Party Service Provider Security Policy and Procedures to address:
Risk-based periodic assessments of third-party providers
Who Submits Certification?
NYDFS 500 instructs a Covered Entity’s Board of Directors or Senior Officer must sign the certification.A “Senior Officer” is defined as “the senior individual or individuals (acting collectively or as a committee) responsible for the management, operations, security, information systems, compliance and/or risk of a Covered Entity.” For most entities the Chief Information Security officer (CISO) would be the most appropriate officer.
If your organization needs help preparing, assessing or remediating regulatory requirements to reach NYDFS 500 certification, the Process, Risk & Governance team at Frazier & Deeter can help. Our team includes highly experienced individuals with relevant professional designations and former financial institution and insurance company compliance executives, who understand the unique issues and requirements within financial services.