The Big Picture
The NYDFS Cybersecurity Regulation, 23 NYCRR 500, requires New York banks, financial services companies and insurance companies, including non-New York insurance companies who do business in New York, to perform a Cybersecurity Risk Assessment and to create and maintain a Cybersecurity Program based on the Risk Assessment. This risk-based approach is designed to protect the confidentiality, integrity, and availability of information systems, ultimately protecting consumers and the New York State financial services industry.
Taking a Closer Look – Who is Covered?
The NYDFS Cybersecurity Regulation applies to any business regulated by the NYDFS under the Banking Law, Insurance Law or Financial Services Law. These “covered entities” include:
- State-chartered banks
- Licensed Lenders
- Private bankers
- Service contract providers
- Trust companies
- Mortgage companies
- Foreign banks licensed to operate in New York
- Insurance companies doing business in New York
Organizations which have limited exemption from the regulation include those with:
- Less than 10 employees
- Less than $5 million in gross annual revenue for each of the last three years from NY business operations, OR
- Less than $10 million in year-end total assets
Taking a Closer Look – What is Required?
The NYDFS Cybersecurity Regulation requires the above-covered entities to create and maintain a Cybersecurity Program based on their Cybersecurity Risk Assessment. The Cybersecurity Program should perform the following functions:
- Identify and assess internal and external Cybersecurity risks
- Use defensive infrastructure and the implementation of policies and procedures to protect the Covered Entity’s Information Systems
- Detect Cybersecurity Events
- Respond to identified or detected Cybersecurity Events to mitigate any negative effects
- Recover from Cybersecurity Events and restore normal operations and services
- Fulfill applicable regulatory reporting obligations
Taking a Closer Look – How do Businesses Reach Compliance?
The timetable to become compliant began when 23 NYCRR 500 took effect on March 1, 2017. There are several milestone dates and transitional periods through the compliance process. These milestone dates and expectations are below:
August 28, 2017 – 180-day transitional period ends. Covered entities are required to be in compliance with certain parts of the regulation, unless otherwise noted, namely sections:
500.02 – Establish and maintain a Cybersecurity Program
500.03 – Implement and maintain written cybersecurity policies and procedures
500.04(a) – Designate a Chief Information Security Officer (CISO)
500.16 – Establish a written incident response plan
February 15, 2018 – Covered entities are required to submit the first annual certification to the NYDFS superintendent’s office:
500.17(b) – Annual written statement covering prior year certifying compliance with NYDFS Cybersecurity Regulation
March 1, 2018 – One-year transitional period ends. Covered entities are required to be in compliance with these sections:
500.04(b) – Annual CISO cybersecurity report to Board of Directors or equivalent governing body
500.05 – Annual penetration testing and bi-annual vulnerability assessments
500.09 – Conduct a Cybersecurity Risk Assessment
500.12 – Implement Multi-Factor Authentication or Risk-Based Authentication
500.14(b) – Training: Provide employee cybersecurity awareness training
September 3, 2018 – Eighteen-month transitional period ends. Covered entities are required to be in compliance with these sections:
500.06 – Have ability to reconstruct material financial transactions and audit trails to detect and respond to Cybersecurity Events.
500.08 – Implement application security procedures, guidelines and standards for both in-house and externally developed applications
500.13 – Implement data retention policies and procedures
500.14(a) – Implement policies, procedures and controls to monitor activity of authorized users and detect unauthorized access, use or tampering with nonpublic information
500.15 – Encrypt nonpublic information in transit over external networks and at rest
March 1, 2019 – Two-year transitional period ends. Covered Entities are required to be in compliance with 23 NYCRR 500.
Moving forward, per Section 500.17, covered entities are required to notify the NYDFS Superintendent within 72 hours of a Cybersecurity Event. In addition, an annual written statement covering the prior year certifying compliance with 23 NYCRR 500 will be submitted to the Superintendent.
Meeting the requirements of 23 NYCRR 500 can be a daunting process. With proper planning and use of available resources such as an experienced, reputable cybersecurity partner, compliance and robust cybersecurity become easily within reach. To learn how SCA can help, click here.