The NYCRR 500 and Sensitive Data Discovery

The NYDFS Cybersecurity Regulation, 23 NYCRR 500 has been set out by the New York State Department of Financial Services (NYSDFS) establishing cybersecurity requirements and protections for all financial services institutions and service providers. The purpose of creating the new regulation is to protect both the financial services industry and its consumers from the rising threat of cyber criminals and cyber attacks.

Regulation 23 NYCRR 500 has now provided these organizations with a basic framework for developing comprehensive cybersecurity programs specific to their business models and risks. The framework has set out 23 sections dedicated to the requirements of developing and implementing a robust cybersecurity program. The strict cybersecurity rules will force each company to assess its risk profile and design a program that addresses its risks proactively.

Some of the key requirements are;

• To identify all cybersecurity threats, both internal and external.
• Employ defence infrastructure to protect against those threats.
• Use a system to detect cybersecurity events.
• Respond to all detected cybersecurity events.
• Work to recover from each cybersecurity event.
• Fulfil various requirements for regulatory reporting.

Who does it apply to?

Regulation 23 NYCRR 500 applies to all financial institutions operating under the NYSDFS licence as well as third-party service providers.

• State-chartered banks
• Licensed Lenders
• Private bankers
• Foreign banks authorized to operate in New York
• Mortgage companies
• Insurance companies
• Service providers

The regulation allows a limited exemption for certain covered entities, such as:

• Companies with less than 10 people;
• A company that has acquired less than $5 million in gross annual revenue from NY state operations;
• A company that alongside its affiliates has less than $10 million in end-of-year total assets; and
• A licensed captive insurer that does not, or is not required to, control, access, receive or store non-public information other than information related to its corporate affiliates.

The list of companies that are exempt from the law is very small, such as Charitable and foreign risk groups operating in New York. Most financial institutions in New York need to be in alignment with the requirements of Regulation 23 NYCRR 500.

Documentation

Covered institutions must now document their newly implemented policies and address concerns pertaining to information security, access controls, disaster recovery planning, systems and network security, customer data privacy and regular risk assessments.

Appoint a CISO

Organisations must appoint a qualified Chief Information Security Officer (CISO) to oversee and implement the new data protection changes and ensure the requirements of the policy are met. Staff tasked with managing the evolving cybersecurity policy must be constantly trained and kept up to date on new changes in order to remain capable of adhering to the new standards.

Notification

The New York Department of Financial Services must be notified of all cybersecurity instances that have the potential or “reasonable likelihood” of causing material harm. Companies must watch over and limit the access privileges that are granted to users within the organisation to ensure that accessibility is kept under constant vigilant control.

New practices

Organisations held to account by the regulation must exceed previous cybersecurity expectations be implementing extra data security practices such as:

• Enhanced multi-factor authentication
• Completion of an annual certification to confirm the achievement of compliance with the new rules.
• Encryption of sensitive data.
• Efficient incident reporting of all cybersecurity instances.

The Four Phases of the regulation

The regulation is a significant shift for institutions in New York so the NYDFS decided to introduce a phased approach of compliance with each phase having an effective date to allow organizations to implement each component of the new framework.   

Two phases have already passed.

Phase 1. Implementing the basics, effective February 15, 2018.

Each institution had to design a cybersecurity policy, designate a Chief Information Security Officer (CISO), and establish an incident response plan, which includes a plan for breach notifications within 72 hours.

Phase 2. Establishing Reporting Functions, Effective, March 1st, 2018.

Under the new regulation, a CISO is now responsible for preparing an annual report covering an organization’s information security policies and procedures, cyber risks, and the effectiveness of its cybersecurity programs. The institutions were also required to design and implement a cybersecurity program that continually tests the organization’s vulnerabilities and multi-factor authentication.

Phase 3, Developing a Cybersecurity program, effective September 3rd, 2018.

All the organisation must now implement a cybersecurity program that includes;

• Keep a detailed audit trail showing the detection of and response cyber security events, this record must be kept for 5 years.
• Documented procedures, guidelines, and standards for secure practices around applications and the testing of any external applications that may affect them.
• Data retention policies for the disposal of nonpublic personal information.
• The implementation of security controls, such as encryption of non-public business relations and personal information.

Phase 4. Securing Third Parties, effective March 1st, 2019.

The final phase focuses on third-party service providers and the expected security policy has to define at a minimum, the following:

• The identification and risk assessment of third parties to service providers;
• Cybersecurity requirements that must be met in order to conduct business between covered entities and the third-party service providers;
• The implementation of due diligence processes to evaluate the adequacy of cybersecurity practice of the service providers; and
• Periodic assessments of third-party policies, procedures, and controls.

Summary

The new regulations being implemented are as a result of a long history of damaging cyber attacks and data breaches in the financial industry. This industry has been plagued with cyber breaches due to the sensitive nature of the data it regularly stores and processes. The data is, therefore, an attractive target for attackers who hope to profit from the lack of adequate cybersecurity defences the financial industry has had previous to this regulation. Following the implementation of this new regulation, financial services companies will be positioned to actively reduce the threat of cyber breach instances by maintaining good data security practices as part of their business-as-usual operations.

The main message running through this regulation is for financial institutions to conduct regular and comprehensive cybersecurity practices in order to prevent data breaches from occurring. This is a potent message considering that data breaches are on the rise globally and organisations must adapt quickly and efficiently to maintain the security of their customer’s information.

To help you evaluate your current cybersecurity risk or to conduct a risk assessment with the 23 NYCRR 500, schedule a meeting with one of our North American experts here: