What is the NYDFS Cybersecurity Regulation?
The New York Department of Financial Services (NYDFS) Cybersecurity Regulation (23 NYCRR 500) is a set of rules issued by the New York Department of Financial Services that imposes cybersecurity demands on all financial firms. The initiative behind the regulation is to protect the financial services industry and its customers from the growing threat of malicious actors and cyberattacks.
The NYDFS Cybersecurity Regulation applies to all entities operating under DFS licensure, registry, charter, additionally to their third-party distributors and providers.
The entities that must comply are as follows:
- State-chartered banks
- Licensed lenders
- Private bankers
- Foreign banks licensed to operate in New York
- Mortgage companies
- Insurance companies
- Service providers
The NYDFS Cybersecurity Regulation provides few exemptions for organizations employing fewer than ten people, generating less than $5 million in gross annual revenue from New York operations in each of the previous three years, or having less than $10 million in year-end total assets.
What are the requirements for NYDFS compliance?
Regulation 23 NYCRR 500 establishes a basic framework for organizations to develop comprehensive cybersecurity programs tailored to their business models and risks. The framework is divided into 23 sections that address the requirements for developing and implementing a strong cybersecurity program.
However, for this framework, the NYDFS has developed a phased implementation process. The implementation is divided into four categories, each with its own start date, providing businesses enough time to implement stronger controls and procedures into their business operation.
Phase 1 – Fundamental Requirements. (came into effect on February 15, 2018):
Service providers must establish and maintain an official cybersecurity plan and strategy, appoint a Chief Security Officer, inspect the user access privileges periodically, consider hiring cybersecurity professionals, and develop a formal incident response plan.
Phase 2 – Assessment, Awareness and Reporting. (came into effect on March 1, 2018):
Service providers must perform routine penetration testing and vulnerability assessments, conduct an information system risk assessment, employ multi-factor or risk-based authentication, offer additional regular cybersecurity awareness training for all staff, and the CISO must report on the entity’s cybersecurity plan and risks.
Phase 3 – Audit Trail, Procedures, Guidelines, and Controls. (came into effect on September 3, 2018):
Service providers must keep an independent audit designed to detect and respond to cyber incidents, as well as develop specific guidelines, procedures, and standards for application security and the retention, disposal, and monitoring of potentially sensitive information access.
Phase 4 – Third-Party Policy. (came into effect on March 1, 2019):
Service providers must establish and document policies and practices to ensure the security of information systems and sensitive information accessible to third-party providers. The regulation also requires third-party providers to comply.
Why should you be NYDFS compliant?
The most clear advantage of adhering to NYDFS is improving the organization’s protection against the highly sophisticated cyber attacks that threaten US financial organizations.
The regulation also aims to protect sensitive personal information and to enhance the integrity of information technology used by regulated organizations.
Noncompliance with the 23 NYCRR 500 can have disastrous consequences for covered institutions. While the NYDFS does not specify the penalties for covered entities that fail to comply with the cybersecurity regulation, it is clear that noncompliance can result in legal costs and settlements.
Aside from potential fines and penalties, covered entities risk losing customers and incurring fraud losses. Noncompliance might also erode the brand reputation of the concerned institutions, possibly leading to their closure.
How to achieve compliance?
Each covered entity must submit to the Superintendent of DFS a written statement covering the previous calendar year by February 15 of each year, certifying that the covered entity complies with the requirements of the Cybersecurity Regulation. For five years, each covered entity must keep all records, schedules, and data supporting this certificate for an examination by DFS.
Centraleyes delivers an integrated NYDFS questionnaire, automated data collection and analysis, prioritized remediation guidance and real-time customized scoring to meet the NYDFS requirements. With its user-friendly dashboard, you can visualize security threats, assess security incidents, and even track alerts and assign them to team members for resolution.
The Centraleyes platform also collects all security information and automates reports to assist organizations in meeting NYDFS requirements, resulting in time savings, money savings, and more accurate data.