NYDFS Cybersecurity Compliance for Financial Institutions
The NYDFS Cybersecurity Regulation, also known as the 23 NYCRR 500, is a set of guidelines and regulations set forth by the New York Department of Financial Services. This created standards for cybersecurity requirements of all covered financial institutions as defined by the regulation. The rules were formally released back in February 16, 2017. It took two rounds of feedback and deliberation that included the public and industry representatives. It has 23 sections that outline steps in developing, implementing, and maintaining security for all sensitive data that they manage and collect. The NYDFS Cybersecurity regulation initially gave institutions a window in order to implement the required security stated.
Who Is Covered by NYDFS Cybersecurity Regulation?
The rules and regulations set forth by the NYDFS Cybersecurity applies to all entities that operate or are required to operate under a DFS licensure or charter, or are registered or regulated by the DFS in any way. This also covers third-party vendors who may not be regulated but perform duties and tasks for those who are. Examples of covered entities of the NYDFS Cybersecurity include:
- State-chartered banks.
- Mortgage companies.
- Private bankers.
- Any foreign bank licensed to operate in New York.
- Insurance companies.
- Service providers for covered institutions.
Of course, there are exemptions to the NYDFS Cybersecurity regulation, but they are limited. Entities with fewer than 10 people, that made less than $5 million in gross annual revenue with their operations in New York from the past three years, or that have less than $10 million by year-end total assets are exempt in the following certain regulations.
How the NYDFS Cybersecurity Regulation Works
Organizations covered by the NYDFS Cybersecurity are expected to comply with strict rules and regulations pertaining to their digital assets. This includes the creation of a cybersecurity plan and its implementation, designating a Chief Information Security Officer for the organization, enacting policies for effective cybersecurity, and reporting and maintaining security threats. All these components are then segregated by sub-regulations and other requirements.
Requirements of the NYDFS Cybersecurity Regulation
NYDFS Cybersecurity requires covered organizations to adhere to strict rules, and they need to accomplish the following:
- Create a defensive infrastructure designed to protect against external and internal threats.
- Identify such threats and document them.
- Detect cybersecurity events through an enacted system.
- Resolve all cybersecurity events.
- Ensure recovery from any cybersecurity attack.
- Fulfill reporting requirements.
Design of Cybersecurity Policies
The first phase of the NYDFS Cybersecurity regulation came into effect in February 15, 2018, when it required covered organizations to create their cybersecurity policies. This should include an incident response that will provide a data breach notification to specified authorities within 72 hours. The cybersecurity policy created must adhere to ISO 27001 standards, along with industry best practices.
Other items that the NYDFS Cybersecurity regulation policy must cover are:
- Access controls.
- Information security.
- Network security.
- Regular risk assessments.
- Customer data privacy.
- Disaster recovery planning.
NYDFS Cybersecurity Reporting Procedures
The second phase, which took effect on March 1, 2018, created a requirement to provide reports that cover:
- All the organization’s security risks.
- Created cybersecurity policy.
- Efficiency of the current cybersecurity measures implemented by the organization.
Cybersecurity programs developed by covered organizations should continuously check and evaluate vulnerabilities, which allows them to take a more proactive approach in dealing with potential threats.
In September 3, 2018, Phase 3 of the NYDFS Cybersecurity regulation took effect. This required all covered entities to implement a comprehensive cybersecurity system. It also provided key elements on what these entities have to do:
- Complete audit system highlighting threat detection and response.
- Documented procedures and guidelines for in-house applications, as well as guidelines on third-party vendors.
- Detailed documentation on data retention, which includes how sensitive information is disposed.
- All other security control measures.
The final requirement of the NYDFS Cybersecurity took effect on March 1, 2019. This covers finalization of policies regarding third-party vendors that would be given access to the organization’s systems and network. Details of their security policy in such instances must include:
- Assessing the risk of third-party vendors.
- Create a process in order to evaluate the efficiency of a vendor’s security practices.
- Security requirements set forth by the organization must be met by the vendor.
- Regular assessment of the vendor’s security policies.
The NYDFS Cybersecurity highlights other requirements such as:
- The use of qualified cybersecurity personnel to manage threats and responses.
- Sending a notification to the NYDFS about any potential threat that carries a risk of “reasonable harm.”
- The NYDFS Cybersecurity requirement of limited access to networks and sensitive data.
New Cybersecurity Challenges
Other requirements of the NYDFS Cybersecurity highlight the need for covered organizations to be able to identify new and evolving threats and challenges. It also expects them to go beyond what is expected, which includes:
- Encrypt data to secure sensitive information.
- Complete annual certification to ensure compliance and safety.
- Make use of enhanced multi-factor authentication.
- Report any and all incidents and document them.
Penalties for NYDFS Cybersecurity Violations
There are no specific details on penalties, fines, and other repercussions in violating the terms and regulations set forth by the NYDFS Cybersecurity. But if a violation does occur, the penalty can be calculated per situation.
Benefits of NYDFS Cybersecurity and Its Drawbacks
There are several pros and cons with the NYDFS Cybersecurity regulation, which are:
- The regulations have actually been scaled back from originally requiring all data in storage and in transit to be encrypted, which can be very restricting to many organizations.
- The regulations were out of date even before they were enacted, according to a senior research analyst, Sam Olyaei. But he did go on to state that it is still better than others.
- Smaller organizations can rely on third-party providers to meet the requirements of the NYDFS Cybersecurity regulation.
- There are fair exemptions to the rules.
Best Practices With NYDFS Cybersecurity Compliance
When it comes to ensuring proper compliance with the NYDFS Cybersecurity regulations, organizations need to:
- Ensure that the organization is actually assessed as covered by the regulations and rules that apply to the organization.
- Create a NYDFS Cybersecurity regulation compliance team that can understand and oversee the changes needed to comply with the new set of guidelines and rules.
- Understand the risks and vulnerabilities of the organization.
- Make sure to adhere to the deadlines set forth by the NYDFS Cybersecurity.