<img height="1" width="1" style="display:none;" alt="" src="https://dc.ads.linkedin.com/collect/?pid=26304&amp;fmt=gif">
Regulation & Compliance

5 Highlights Of The NYDFS Cybersecurity Regulations

Jake Olcott | December 14, 2017

In March 2017, the New York Department of Financial Services (NYDFS) cybersecurity regulations—known as 23 NYCRR Part 500—went into effect. According to the regulation, “any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law” is considered a covered entity and must comply.

The new regulations acknowledge that the threat posed by bad actors and cybercriminals over the past decade has significantly increased. In the early 2000s, a significant number of state laws were passed which, among other things, required companies to disclose a data breach to consumers if their data or personally-identifiable information (PII) was compromised. The new NYDFS cybersecurity regulations indicate a new wave of regulations that now require certain cybersecurity measures to be put into place so breaches are less likely to occur. 23 NYCRR Part 500 signals a shift from regulating breach disclosure to regulating the implementation of appropriate security controls.

Noncompliance with 23 NYCRR Part 500 can lead to fines or program reviews, but the scope of those consequences are not fully known. It’s important for your organization to thoroughly review and consider the regulation in full—but there are five high-level requirements of the NYDFS regulation you should know about:

5 Highlights Of The NYDFS Cybersecurity Regulations

1. Covered entities are required to have a cybersecurity program.

According to section 500.02 (on page 3), “Each Covered Entity shall maintain a cybersecurity program designed to protect the confidentiality, integrity and availability of the Covered Entity’s Information Systems.”

In addition to this overarching requirement, covered entities must employ a chief information security officer (CISO) who must report to the board, and senior management must review and approve the cybersecurity policies.

2. Covered entities are required to have a third-party service provider risk management program.

According to section 500.11 (on page 7), “Each Covered Entity shall implement written policies and procedures designed to ensure the security of Information Systems and Nonpublic Information that are accessible to, or held by, Third Party Service Providers.”

As part of this requirement, covered entities must perform due diligence on all third-party vendors and periodically assess their security. Continuous monitoring programs like BitSight Security Ratings make the vendor risk management process much simpler.

3. Covered entities are required to file annual compliance certification.

Regulation states that the chairman of the board for a covered entity must submit a self-certification stating the board has reviewed cybersecurity documentation and policies and that the board is compliant with NYDFS regulations.

4. Covered entities are required to provide cybersecurity training.

Section 500.14 (page 9) broadly states that covered entities should “provide regular cybersecurity awareness training for all personnel that is updated to reflect risks identified by the Covered Entity in its Risk Assessment.”

In essence, all employees should understand how to handle IT and security issues so they are capable of helping your organization mitigate and address cyber risks.

5. Covered entities are required to use technology controls for cybersecurity.

A number of technological controls are mentioned in the regulation, including application security (section 500.08), penetration testing and vulnerability assessments (section 500.05), multi-factor authentication (section 500.12), and encryption of non-public information (500.15).

If you’re a covered entity, keep these dates in mind:

If your financial services company is covered under these regulations, the New York Department of Financial Services website lists a few key dates to know:

  • February 15, 2018—Covered Entities are required to submit the first certification under 23 NYCRR 500.17(b) on or prior to this date.
  • March 1, 2018—One-year transitional period ends. Covered Entities are required to be in compliance with the requirements of sections 500.04(b), 500.05, 500.09, 500.12 and 500.14(b) of 23 NYCRR Part 500.
  • September 3, 2018—Eighteen-month transitional period ends. Covered Entities are required to be in compliance with the requirements of sections 500.06, 500.08, 500.13, 500.14(a) and 500.15 of 23 NYCRR Part 500.
  • March 1, 2019—Two-year transitional period ends. Covered Entities are required to be in compliance with the requirements of 23 NYCRR 500.11.

If you need to comply with the NYDFS cybersecurity regulation requirements (and surpass them), BitSight can help. Security Ratings can help your organization produce more impactful cybersecurity reports to share with the board quickly and easily identify, assess, and manage third-party cyber risk; and continuously monitor potential security issues as they arise. Request your free demo today. 

REQUEST A DEMO

Suggested Posts

Recent Australia Privacy Amendment Reflects Growing Concern Over Third Party Cyber Risk

In February of 2017, Australia’s Federal Parliament passed the Privacy Amendment (Notifiable Data Breaches) Act 2017, amending the Privacy Act of 1988. These new mandatory breach notification requirements officially went into effect last...

READ MORE »

New Singapore Cybersecurity Bill Reflects Growing Focus on Critical Infrastructure

Last year, there were several new cybersecurity developments introduced around the globe to reduce the risk of catastrophic cyber events at critical infrastructure. These include regulations from the New York Department of Financial...

READ MORE »

A Breakdown Of Terms In The General Data Protection Regulation (GDPR)

If your company processes the data of individuals who reside in the European Union, the General Data Protection Regulation (GDPR) is likely a hot topic around the office right now. Once the regulation goes into effect in May 2018,...

READ MORE »

Subscribe to get security news and updates in your inbox.