NYDFS Cybersecurity Regulation, 23 NYCRR 500
On March 1, 2017, the New York State Department of Financial Services (NYDFS) introduced new cybersecurity regulations for financial services companies that address the growing threat posed by cyber-criminality to financial firms. They are intended to regulate the protection of customer data and security of operations within the industry.
This e-book positions security and compliance leaders to better understand how NYDFS applies to their organizations and what the effects might be.
Who does it impact?
The regulation applies to all Department of Financial Services (DFS)-regulated firms and their out of state and overseas branches, requiring them to assess their cybersecurity risk profiles and implement a comprehensive plan that recognizes and mitigates that risk. DFS maintains the right to examine branches of overseas banks located in New York and also strongly encourages all financial institutions to adopt cybersecurity protections consistent with the safeguards and protections of 23 NYCRR Part 500.
Types of organizations regulated by the Department of Financial Services are:
- Licensed lenders
- State-chartered banks
- Trust companies
- Service contract providers
- Private bankers
- Mortgage companies
- Insurance companies doing business in New York
- Non-U.S. banks licensed to operate in New York
The regulation contains limited exemptions for organizations with:
- Fewer than 10 employees
- Less than $5 million in gross annual revenue for three years; or
- Less than $10 million in year-end total assets
How do firms comply with NYDFS?
All entities covered by the NYDFS Cybersecurity Regulation 23 NYCRR Part 500 are required to submit their first annual Certification of Compliance with the NYDFS superintendent’s office by February 15, 2018. Compliance with the regulation is a four-phase implementation process:
|Phase 1 – Fundamental Requirements||February 15, 2018|
|Phase 2 – Assessment, Awareness and Reporting||March 1, 2018|
|Phase 3 – Audit Trail, Procedures and Controls||September 3, 2018|
|Phase 4 – Third Party Service Providers||March 1, 2019|
Phase 1 – Fundamental Requirements. Effective February 15, 2018: Covered entities are required to implement and maintain a formal cybersecurity program and policy, appoint a Chief Security Officer, regularly review user access privileges, hire qualified cybersecurity personnel, and establish a written incident response plan.
Phase 2 – Assessment, Awareness and Reporting. Effective March 1, 2018: Covered entities are required to regularly perform penetration testing and vulnerability assessments, conduct a risk assessment of information systems, use multi-factor or risk-based authentication, provide regular cybersecurity awareness training for all personnel, and the CISO shall report on the covered entity’s cybersecurity program and material cybersecurity risks.
Phase 3 – Audit Trail, Procedures, Guidelines, and Controls. Effective September 3, 2018: Covered entities are required to maintain an audit trail designed to detect and respond to cybersecurity events, develop written procedures, guidelines and standards for application security and for the retention, disposal of and monitoring of access to nonpublic information.
Phase 4 – Third Party Policy. Effective March 1, 2019: Covered entities are required to implement written policies and procedures designed to ensure the security of information systems and nonpublic information that are accessible to third party service providers. The regulation also obligates the covered entity’s third-party service providers to comply.
Consequences of Non-compliance
NYDFS has not outlined any specific information on consequences of noncompliance with the regulation other than to include a requirement to notify the superintendent of a breach as promptly as possible but in no event later than 72 hours after it has occurred. However, given the nature of the fines imposed under similar global regulations and, considering those outlined in the New York Banking law, the penalty for noncompliance with NYDFS is likely to be equally severe. With the additional consequences of reputational damage, loss of business, and increased scrutiny by the regulator, failing to comply is not a risk worth taking.
The deadline for the final phase of the regulation was March 1, 2019 and financial firms are now in the post-implementation stage. NYDFS is another example of how business is taking data security more seriously with new regulations arising across the globe. In the US, where regulation is implemented according to the laws of the state, NYDFS is soon to be followed up by the CCPA (California Consumer Privacy Act). More regulation is inevitable. Financial firms are likely to be well-prepared with their efforts to comply with GDPR and NYDFS however, having a robust data-centric security program in place is invaluable for complying with all data protection regulations and ultimately to protect your company from a breach.
To learn more about NYDFS read the eBook here.