Many organizations must comply with the New York Department of Financial Services (NYDFS) Cybersecurity Regulation, which is also known as 23 NYCRR 500.
Like numerous regulations, 23 NYCRR 500 is designed to protect sensitive non-public information. However, it is specifically meant for covered New York-chartered or licensed financial institutions such as credit unions, banks, insurance firms and mortgage companies, as well as the third-party service providers that they work with.
NYDFS requirements are known to be quite rigorous, and they are backed by an aggressive regulator. In fact, DFS recently charged the First American Title Insurance Company with failing to adhere to its cybersecurity regulation, marking the first time that 23 NYCRR 500 was enforced. Undoubtedly, there will be more such enforcement actions in the future.
What do you need to know about NYDFS? Here are seven notable facts:
1. It doesn’t just apply to New Yorkers.
While NYDFS is specifically meant for the financial institutions that are regulated by the New York Department of Financial Services, such organizations don’t necessarily have to be located in the Big Apple to be required to comply. Rather, NYDFS applies to organizations that do financial business in New York, even if they are located elsewhere. It also extends to financial institutions’ third parties—no matter where they are.
2. It has specific cybersecurity assessment requirements.
Unlike some regulations, NYDFS stipulates very particular security processes that must be put in place. These include, for example, performing annual penetration testing, bi-annual vulnerability assessments and periodic risk assessments. These requirements are designed to ensure that businesses regularly check for cyber issues that may surface as business operations change.
3. It requires the appointment of a CISO.
NYDFS requires organizations to appoint a chief information security officer who is tasked with implementing and enforcing cybersecurity. The CISO is responsible for submitting a written report at least annually to the organization’s board of directors, governing body or senior officer about the organization’s cybersecurity program and risks. He or she should consider the integrity and security of the organization’s information systems, its cybersecurity policies and procedures, cyber risk, program effectiveness and any cyber events experienced.
4. It demands limited retention of non-public information
Compared to most privacy laws, NYDFS has simpler requirements regarding the storage and processing of personal information. It does specify that non-public information (such as PII) should not be retained unless needed for legitimate business purposes, or when such data is required by laws or regulations.
5. It mandates a third-party service provider policy.
To prevent cyberattacks through third parties, NYDFS requires organizations to implement written policies and procedures that ensure that data shared with third-party service providers remains secure. Specifically, there must be guidelines in place for third parties, including the use of multi-factor authentication, encryption and cyber event notifications.
6. It covers a wide range of cyber events.
NYDFS aims to prevent any attempts to misuse or unlawfully access systems, including, for example, ransomware and denial of service attacks. This goal extends beyond just preventing data breaches, and requires organizations to carefully examine cybersecurity processes and procedures such as employee access.
Like many privacy regulations, NYDFS demands notice to the regulator (known as the “Superintendent”) of cyber events no later than 72 hours after the “determination” that there has in fact been such an occurrence.
7. It demands serious cyber training.
Cybersecurity training is critical to a robust security process, but the amount required by NYDFS is notable: Not only are companies required to train their employees about addressing cybersecurity risk; they also must ensure that their cybersecurity professionals remain current with cyber trends. Such training is key to reducing employee attack likelihood.
Want to learn about the steps your organization should take to comply with NYDFS? Download our guide here.
