BY Niall Rooney | 22 August 2018
The NYDFS Cybersecurity Regulation, 23 NYCRR 500 has been set out by the New York State Department of Financial Services (NYSDFS) establishing cybersecurity requirements and protections for all financial services institutions and service providers. The purpose of creating the new regulation is to protect both the financial services industry and its consumers from the rising threat of cyber criminals and cyber attacks.
Regulation 23 NYCRR 500 has now provided these organizations with a basic framework for developing comprehensive cybersecurity programs specific to their business models and risks. The framework has set out 23 sections dedicated to the requirements of developing and implementing a robust cybersecurity program. The strict cybersecurity rules will force each company to assess its risk profile and design a program that addresses its risks proactively.
Some of the key requirements are;
Who does it apply to?
Regulation 23 NYCRR 500 applies to all financial institutions operating under the NYSDFS licence as well as third-party service providers.
The regulation allows a limited exemption for certain covered entities, such as:
The list of companies that are exempt from the law is very small, such as Charitable and foreign risk groups operating in New York. Most financial institutions in New York need to be in alignment with the requirements of Regulation 23 NYCRR 500.
Covered institutions must now document their newly implemented policies and address concerns pertaining to information security, access controls, disaster recovery planning, systems and network security, customer data privacy and regular risk assessments.
Appoint a CISO
Organisations must appoint a qualified Chief Information Security Officer (CISO) to oversee and implement the new data protection changes and ensure the requirements of the policy are met. Staff tasked with managing the evolving cybersecurity policy must be constantly trained and kept up to date on new changes in order to remain capable of adhering to the new standards.
The New York Department of Financial Services must be notified of all cybersecurity instances that have the potential or “reasonable likelihood” of causing material harm. Companies must watch over and limit the access privileges that are granted to users within the organisation to ensure that accessibility is kept under constant vigilant control.
Organisations held to account by the regulation must exceed previous cybersecurity expectations be implementing extra data security practices such as:
The Four Phases of the regulation
The regulation is a significant shift for institutions in New York so the NYDFS decided to introduce a phased approach of compliance with each phase having an effective date to allow organizations to implement each component of the new framework.
Two phases have already passed.
Phase 1. Implementing the basics, effective February 15, 2018.
Each institution had to design a cybersecurity policy, designate a Chief Information Security Officer (CISO), and establish an incident response plan, which includes a plan for breach notifications within 72 hours.
Phase 2. Establishing Reporting Functions, Effective, March 1st, 2018.
Under the new regulation, a CISO is now responsible for preparing an annual report covering an organization’s information security policies and procedures, cyber risks, and the effectiveness of its cybersecurity programs. The institutions were also required to design and implement a cybersecurity program that continually tests the organization’s vulnerabilities and multi-factor authentication.
Phase 3, Developing a Cybersecurity program, effective September 3rd, 2018.
All the organisation must now implement a cybersecurity program that includes;
Phase 4. Securing Third Parties, effective March 1st, 2019.
The final phase focuses on third-party service providers and the expected security policy has to define at a minimum, the following:
The new regulations being implemented are as a result of a long history of damaging cyber attacks and data breaches in the financial industry. This industry has been plagued with cyber breaches due to the sensitive nature of the data it regularly stores and processes. The data is, therefore, an attractive target for attackers who hope to profit from the lack of adequate cybersecurity defences the financial industry has had previous to this regulation. Following the implementation of this new regulation, financial services companies will be positioned to actively reduce the threat of cyber breach instances by maintaining good data security practices as part of their business-as-usual operations.
The main message running through this regulation is for financial institutions to conduct regular and comprehensive cybersecurity practices in order to prevent data breaches from occurring. This is a potent message considering that data breaches are on the rise globally and organisations must adapt quickly and efficiently to maintain the security of their customer’s information.
To help you evaluate your current cybersecurity risk or to conduct a risk assessment with the 23 NYCRR 500, schedule a meeting with one of our North American experts here:
Share this article!
Want to keep up with all our blog posts? Subscribe to our newsletter!
As companies all around the world continue have large portions of their workforce remote, the need to keep their data safe and protected is even more critical. To help companies navigate this new reality and mitigate security risks, we are providing a 90-day complimentary version of our flagship solution—Enterprise Recon. Learn more about it here.
Please submit the form below and we’ll contact you to schedule a discovery call. Want to skip the email? Go here to schedule a meeting directly on our calendar.