Find Your Specialist


Contact Us

    Go Back

    Complying with New York’s Cybersecurity Regulation (23NYCRR 500): What Financial Services Firms Need to Know

    With the growing potential impact of cybercrime on financial service entities, the New York Department of Financial Services (NYDFS) responded by implementing new regulation regarding cybersecurity requirements for financial institutions under DFS regulation. This New York Department of Financial Services regulation is commonly referred to as NYDFS 500. As of February 2018, covered entities must submit an annual Certificate of Compliance attesting to their cybersecurity program. Failure to certify exposes the entity to a “substantive deficiency,” punitive sanctions, and/or legal and compliance risk, all of which could negatively impact both a financial service entity’s reputation and financial results.

    Who must comply?

    NYDFS 500 requirements cover entities operating within the state of New York, that fall under the regulation of the DFS, including banks, insurance companies, mortgage companies, service providers and other financial institutions.

    While NYDFS 500 outlines criteria under which some entities may be exempt or partially exempt, financial service entities are still required to file for that exemption. Exemptions are typically for smaller entities such as those with fewer than 10 employees or less than $10 million in total assets, certain captive insurers, and others.

    “It is critical for all regulated institutions that have not yet done so to move swiftly and urgently to adopt a cybersecurity program…
    The number of cyber events has been steadily increasing and estimates of potential risk to our financial services industry are stark.”

    – Introduction to 23 NYCRR 500.0, New York Department of Financial Services

    What are the requirements?

    The cybersecurity components mandated by NYDFS 500 are largely best practices, policy and procedures. While many institutions have some version of these due to SOX or other compliance requirements, others may find some aspects of regulation to be new territory, such as encryption of nonpublic information. Others may have some, but not all, of the requirements operating effectively such as the newest requirements of identification and risk assessment of third-party service providers.

    Components of NYDFS 500

    Cybersecurity Program
    • Cybersecurity Policy
    • CISO
    • Penetration Testing / Vulnerability Assessments
    • Audit Trail
    • Access Privileges
    • Application Security
    • Risk Assessment
    • Cyber Personnel
    • Third Party Policy
    • Multi-Factor Authentication
    • Data Retention
    • Training & Monitoring
    • Encryption
    • Incident Response Plan

    Four Phases of NYDFS 500

    To assist Covered Entities with implementation, the regulations became effective through four phases, summarized below.

    Phase One: Cybersecurity Policy Design

    Effective February 15, 2018

    Prepare and uphold a Cybersecurity Policy to address:

    • Information security
    • Data governance & classification
    • User access controls
    • BCP / DRP
    • Network security & monitoring
    • System operations & availability
    • Physical security
    • Customer data privacy
    • Regular risk assessment
    • Incident response

    Phase Two: Reporting Procedures

    Effective March 1, 2018

    Each Covered Entity must designate a CISO who shall report annually to the entity’s Board or equivalent the following:

      • Confidentiality of stored information
      • Integrity & Security of the entity’s systems
      • Cybersecurity policies and procedures
      • Material cybersecurity risks
      • Cybersecurity program’s effectiveness
    • Material cybersecurity events during the period of time covered by the report

    Phase Three: Program Development

    Effective September 3, 2018

    Implement a Cybersecurity Program (based on Risk Assessment) to address:

    • Confidentiality, Integrity and Availability of the entity’s information systems
    • An audit trail detailing cybersecurity events
    • In-house and third-party application Procedures
    • Data Retention/Disposal Policy
    • Encryption
    • Multi-factor authentication
    • Incident Response Plan
    • Training & Monitoring

    Phase Four: Third-Party Security

    Effective March 1, 2019

    Prepare and uphold a Third-Party Service Provider Security Policy and Procedures to address:

    • Identification and risk assessment of third-party service providers
    • Minimum cybersecurity policies and practices required by Entity of third-party service providers
    • Due-diligence process and procedures for evaluation of third-parties

    Risk-based periodic assessments of third-party providers

    Who Submits Certification?

    NYDFS 500 instructs a Covered Entity’s Board of Directors or Senior Officer must sign the certification.A “Senior Officer” is defined as “the senior individual or individuals (acting collectively or as a committee) responsible for the management, operations, security, information systems, compliance and/or risk of a Covered Entity.” For most entities the Chief Information Security officer (CISO) would be the most appropriate officer.

    Need Help?

    If your organization needs help preparing, assessing or remediating regulatory requirements to reach NYDFS 500 certification, the Process, Risk & Governance team at Frazier & Deeter can help. Our team includes highly experienced individuals with relevant professional designations and former financial institution and insurance company compliance executives, who understand the unique issues and requirements within financial services.

    Related Articles

    Privacy Overview

    When you use or access the Site, we use cookies, device identifiers, and similar technologies such as pixels, web beacons, and local storage to collect information about how you use the Site. We process the information collected through such technologies, which may include Personal Information, to help operate certain features of the Site (e.g., to prevent online poll participants from voting more than once), to enhance your experience through personalization, and to help us better understand the features of the Site that you and other users are most interested in.

    You can enable or disable our use of cookies per category.
    Always Enabled