23 NYCRR 500 COMPLIANCE
NYDFS Cybersecurity Risk Assessment
At RSI Security we are experts in guiding you through the process of achieving New York DFS 23 NYCRR 500 compliance.
As of March 2017 the New York State Department of Financial Services (DFS) mandated that the financial sector abide by new Cybersecurity regulations. All individuals or entities operating under a license, registration, charter, certificate, permit, accreditation or similar authorization under New York banking, insurance, or financial service laws are required to comply by the newest regulations.
Organizations know that this is a process and not just a once-a-year event. We can help you get through this process so that you have the peace of mind that your data is secure and more importantly that your customer's data is secure.
What Is the New York DFS 23 NYCRR 500 Regulation?
The New York DFS 23 NYCRR 500 Regulation is a set of cybersecurity requirements with a focus on financial institutions that operate in New York. It became effective on March 1, 2017. The objective of the regulation is to address the increasing threat of cybercrime and the significant risks it poses to the financial services industry in particular.
Schedule A Consultation for NYDFS Cybersecurity Compliance
23 NYCRR 500 Cybersecurity Requirements:
The guidelines comprising the NYDFS Cybersecurity Regulation have a lot of overlap with the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) recommendations. They are considered best practices for the financial industry.
The 23 guidelines require covered entities to establish and maintain a cybersecurity program that adequately protects the entity itself, along with its customers or clients. This program must be managed by a chief information security officer (CISO) and use encryption, proper processes for securing data, penetration tests, and thorough documentation. It must also include an incident response plan.
Checklist for 23 NYCRR Part 500
There are 23 defined requirements to meet for NYDFS compliance. Use this condensed NYDFS 500 checklist to ensure your organization addresses each area of concern:
- Cybersecurity program – Covered entities must establish and maintain a cybersecurity program and policy and a third-party service provider security policy.
- Qualified cybersecurity personnel – A qualified CISO must be appointed to oversee the cybersecurity program, and qualified cybersecurity professionals should be employed to help manage it.
- Security assessments – Penetration testing, vulnerability assessments, and risk assessments must be performed at frequent, regular intervals.
- Secure data and applications – Applications must be developed securely, nonpublic information must be encrypted, and limitations on the retention of data must be established and followed.
- Access controls – Measures including limited privileges and multi-factor authentication should be implemented to manage access to data and systems.
- Personnel management – Provide cybersecurity training to personnel and monitor activities to ensure compliance with the policy.
- Incident response plan – The cybersecurity program must include a written incident response plan for responding to and recovering from breaches or other incidents fully and swiftly. In the case of a cybersecurity event, the Superintendent of Financial Services should be notified within 72 hours.
- Audit trail – Covered entities must retain records for a minimum amount of time (three years) to serve as an audit trail.
Who Does NYDFS Cybersecurity Regulation Apply To?
The NYDFS cybersecurity rules apply to all covered entities, which is defined as any entity "operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law."
Organizations with fewer than 10 employees, less than $5 million in gross annual revenue for the previous three years, or with less than $10 million in total year-end assets are exempt.
How Can I Meet the DFS 23 NYCRR 500 Cybersecurity Regulation
For organizations that qualify as covered entities, meeting DFS 23 NYCRR 500 Cybersecurity Regulation can be broken down into a few primary stages:
- Appoint a CISO – Utilize a traditional, c-suite chief information security officer—or outsource to a virtual CISO—to oversee cybersecurity within the organization.
- Develop a security program and policy – Follow the guidelines detailed in the regulation to develop a compliant cybersecurity program and policy.
- Perform risk assessments – Assess your organization to gain a thorough insight into the state of your current IT infrastructure.
- Implement security measures - Implement the policies and procedures defined by the security program.
- Board review and certification – After proper review by the board of directors, file annual documents to certify compliance requirements have been met.
- Perform ongoing assessments – Perform ongoing monitoring and regular assessments to ensure best practices are followed and to facilitate ongoing compliance.
At RSI Security, we make compliance
easy within the often risky payment card industry.
Not maintaining NYDFS 23 NYCRR 500 compliance can have devastating consequences:
- Lost customers
- Fraud losses
- Legal costs, settlements, judgments
- Fines and penalties
- Brand errosion
- Going out of business
“New York is the financial capital of the world, and it is critical that we do everything in our power to protect consumers and our financial system from the ever increasing threat of cyber-attacks… These strong, first-in-the-nation protections will help ensure this industry has the necessary safeguards in place in order to protect themselves and the New Yorkers they serve from the serious economic harm caused by these devastating cyber-crimes.”
- New York Governor Andrew Cuomo
23 NYCRR 500 Compliance FAQs
Covered entities are those who operate or are required to operate under New York Banking Law, Insurance Law, or Financial Services Law. This includes:
- Private bankers and state-chartered banks
- Licensed lenders and trust firms
- Mortgage companies and service contract providers
- Insurance firms or non-U.S. banks operating in New York
NYCRR is enforced by the Superintendent of Financial Services of the New York Department of Financial Services.
There are cases where a covered entity may qualify for exemption from NYCRR 500., such as:
- Organizations with fewer than 10 staff members
- Organizations with less than $5 million in gross annual revenue in each of the previous three years
- Charitable organizations operating in New York
NYCRR 500 includes 23 different points for meeting compliance requirements. These requirements cover the necessary considerations for a compliant cybersecurity program with an emphasis on proper oversight, management, security procedures, data management, employee training, documentation, and reporting.