In March 2017, the New York Department of Financial Services (NYDFS) cybersecurity regulations—known as 23 NYCRR Part 500—went into effect. According to the regulation, “any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law” is considered a covered entity and must comply.
The new regulations acknowledge that the threat posed by bad actors and cybercriminals over the past decade has significantly increased. In the early 2000s, a significant number of state laws were passed which, among other things, required companies to disclose a data breach to consumers if their data or personally-identifiable information (PII) was compromised. The new NYDFS cybersecurity regulations indicate a new wave of regulations that now require certain cybersecurity measures to be put into place so breaches are less likely to occur. 23 NYCRR Part 500 signals a shift from regulating breach disclosure to regulating the implementation of appropriate security controls.
Noncompliance with 23 NYCRR Part 500 can lead to fines or program reviews, but the scope of those consequences are not fully known. It’s important for your organization to thoroughly review and consider the regulation in full—but there are five high-level requirements of the NYDFS regulation you should know about:
5 Highlights Of The NYDFS Cybersecurity Regulations
1. Covered entities are required to have a cybersecurity program.
According to section 500.02 (on page 3), “Each Covered Entity shall maintain a cybersecurity program designed to protect the confidentiality, integrity and availability of the Covered Entity’s Information Systems.”
In addition to this overarching requirement, covered entities must employ a chief information security officer (CISO) who must report to the board, and senior management must review and approve the cybersecurity policies.
2. Covered entities are required to have a third-party service provider risk management program.
According to section 500.11 (on page 7), “Each Covered Entity shall implement written policies and procedures designed to ensure the security of Information Systems and Nonpublic Information that are accessible to, or held by, Third Party Service Providers.”
As part of this requirement, covered entities must perform due diligence on all third-party vendors and periodically assess their security. Continuous monitoring programs like BitSight Security Ratings make the vendor risk management process much simpler.
3. Covered entities are required to file annual compliance certification.
Regulation states that the chairman of the board for a covered entity must submit a self-certification stating the board has reviewed cybersecurity documentation and policies and that the board is compliant with NYDFS regulations.
4. Covered entities are required to provide cybersecurity training.
Section 500.14 (page 9) broadly states that covered entities should “provide regular cybersecurity awareness training for all personnel that is updated to reflect risks identified by the Covered Entity in its Risk Assessment.”
In essence, all employees should understand how to handle IT and security issues so they are capable of helping your organization mitigate and address cyber risks.
5. Covered entities are required to use technology controls for cybersecurity.
A number of technological controls are mentioned in the regulation, including application security (section 500.08), penetration testing and vulnerability assessments (section 500.05), multi-factor authentication (section 500.12), and encryption of non-public information (500.15).
If you’re a covered entity, keep these dates in mind:
If your financial services company is covered under these regulations, the New York Department of Financial Services website lists a few key dates to know:
- February 15, 2018: Covered Entities are required to submit the first certification under 23 NYCRR 500.17(b) on or prior to this date.
- March 1, 2018: One-year transitional period ends. Covered Entities are required to be in compliance with the requirements of sections 500.04(b), 500.05, 500.09, 500.12 and 500.14(b) of 23 NYCRR Part 500.
- September 4, 2018: Eighteen-month transitional period ends. Covered Entities are required to be in compliance with the requirements of sections 500.06, 500.08, 500.13, 500.14(a) and 500.15 of 23 NYCRR Part 500.
- March 1, 2019: Two-year transitional period ends. Covered Entities are required to be in compliance with the requirements of 23 NYCRR 500.11.
If you need to comply with the NYDFS cybersecurity regulation requirements (and surpass them), BitSight can help. Security Ratings can help your organization produce more impactful cybersecurity reports to share with the Board; quickly and easily identify, assess, and manage third-party cyber risk; and continuously monitor potential security issues as they arise.