The NYDFS Cybersecurity Regulation (23 NYCRR 500) is a fairly new series of regulations from the New York Department of Financial Services. And for financial institutions, it’s something that can’t be ignored. With a little research and implementation, you can make sure your business is playing by the rules.
NYDFS is “designed to promote the protection of customer information as well as the information technology systems of regulated entities.” It’s essentially a regulation that requires entities to self-govern by conducting risk assessments and implementing the proper programs to detect and respond to adverse cyber events.
The rules were first released on February 16, 2017, after several rounds of feedback from both the industry and the general public. It applies to all covered New York financial institutions and includes 23 different sections. These outline requirements for (a) developing a cybersecurity program; (b) implementing the program; and (c) assessing cybersecurity risks on an ongoing basis and developing plans to proactively deal with those risks before they create problems.
The NYDFS Cybersecurity Regulation originally featured a four-phase implementation approach to compliance. Each phase had its own effective date, which allowed organizations to implement more than two dozen components of the cybersecurity framework. Implementation began in February 2018 and extended through March 2019. Today, covered organizations are expected to meet all requirements.
Who Does the NYDFS Cybersecurity Regulation Apply To?
The NYDFS Cybersecurity Regulation applies to companies, organizations and entities that operate under DFS licensure, registration or charter (or any other group that’s DFS-regulated). Unregulated third-party service providers to these entities are, by association, subject to the requirements.
Examples of covered entities include state-chartered banks, private bankers, licensed lenders, mortgage companies, insurance companies, foreign banks that are licensed to operate in New York and service providers.
Any organization that employs less than 10 people, produces less than $5 million in gross annual revenue from New York operations over each of the past three fiscal years or holds less than $10 million in assets at the end of the year is exempt from the NYDFS Cybersecurity Regulations and accompanying requirements.
In the simplest terms, any entity or institution that requires a license from the NYDFS is also covered by this regulation.
Tips and Requirements for Staying NYDFS Compliant
Staying NYDFS compliant isn’t optional or recommended. If you’re required under the law to adhere, you have no choice. A failure to comply can lead to a host of penalties, fines and legal consequences.
As you attempt to bring your organization into alignment with the NYDFS Cybersecurity Regulation, you may find the following tips, requirements and best practices helpful:
1. Begin by Taking Inventory
The first step is to take a complete inventory of your financial systems. Think of it like cleaning out a closet. Before you can put everything in its proper place and establish an organization system, you have to pull everything out and determine what you have. The same is true with your IT systems and financial data.
2. Document Storage of Sensitive Data
As you take inventory, document every single database, datapoint and storage mechanism that stores Non-Public Information, or NPI. You’ll need this documentation in order to adhere to the NYDFS requirements. (It’ll also aid your internal efforts to meet various encryption requirements moving forward.)
3. Use the Right Encryption Standards
Any sensitive data and NPI that comes through your systems or databases will need to be encrypted to provide maximum protection. This process begins by prioritizing where to start. Based on the sensitivity of the data, the amount of data, the possible exposure of the systems and the operational impact of loss, you can develop your own plan for how to proceed.
The key to successful encryption is to use the right standards. You should avoid non-standard or home-grown encryption as much as possible. All data at rest needs to be protected with NIST-compliant, 256-bit AES encryption.
4. Conduct Regular Risk Assessments
The NYDFS Cybersecurity Regulation requires covered entities to conduct periodic risk assessments to evaluate the “confidentiality, integrity, security, and availability of the IT infrastructure and PII.”
The term “periodic” is obviously subjective, but you don’t want to wait too long between assessments. CISOs are required to certify that their organizations are compliant on an annual basis, thus you should perform assessments at a minimum of once per year.
5. Create an Incident Response Plan
Covered entities also need incident response plans in place. You’ll need to develop a written plan that clearly documents the specific internal processes you’ll use to respond to various cybersecurity events. This includes roles and responsibilities, communication plans and any necessary remediations of controls.
6. Provide Proper Notification in Case of an Incident
If you ever experience a cybersecurity event, you’re required to notify the NYDFS within 72 hours after a “material” incident has been detected. The key word here is “material.”
According to the NYDFS, you’re only required to report an event if it has a reasonable likelihood of “materially harming” any “material part” of your organization’s IT infrastructure. This leaves plenty of room for discretion, so make sure your incident response plan clearly outlines what does and does not qualify for reporting.
7. Implement Proper Third-Party Security
The final phase of the original NYDFS Cybersecurity Regulation implementation, which became effective in March 2019, requires covered institutions to finalize policies regarding any third party that could potentially be given access to the system and/or files that are covered by the regulation.
Under this requirement, you’re mandated to develop a written policy that outlines risk assessment of third-party service providers, processes for evaluating the efficacy of the third-party service provider’s security practices and occasional assessments of third-party controls and policies.
Panorays: Automated Third-Party Security
Security shouldn’t be complicated—especially when there’s so much on the line. And at Panorays, we’ve developed a platform that’s intuitive, customizable and fully compliant with NYDFS regulations. It includes fast vetting, automation, continuous monitoring and a bevy of other features that cohesively work together to automate third-party security lifecycle management.
Want to learn about the steps your organization should take to comply with NYDFS? Download our guide here.