What is 23 NYCRR 500 Compliance?
New York 23 NYCRR part 500 (formally NYS DFS Cybersecurity 23 NYCRR 500 Regulation) compliance can be a daunting lift, especially for those who haven't started to remediate, and even for those who have secured compliance but aren't sure how to continuously prove compliance easily without taking time, effort, and resources away from existing projects.
Governor Cuomo announced that their cyber regulation was the "first in the nation" to protect both consumers and financial institutions. "The regulation requires banks, insurance companies, and other financial services institutions regulated by the State Department of Financial Services" to put into place a continuously maintained cybersecurity program and report data breaches and other cybersecurity events within 72 hours with limited exemptions. The program is supposed to be designed to protect the consumers that each financial institution serves and to secure New York State’s financial services industry and its information systems this year and beyond as cyber vulnerabilities evolve. This regulation includes everything from appointing a Chief Information Security Officer to implementing two or multi-factor authentication (2FA or MFA). In short, the reg is quite extensive.
According to the New York DFS, "This regulation requires each company to assess its specific cybersecurity risk profile and design a program that addresses its risks in a robust fashion. Senior management must take this issue seriously and be responsible for the organization’s cybersecurity program and file an annual certification confirming compliance with these regulations. A regulated entity’s cybersecurity program must ensure the safety and soundness of the institution and protect its customers."
Who Falls Under the Regulation?
According to the legislative document itself, "Cybersecurity Requirements for Financial Services Companies", insurance brokers, agents, and companies that are licensed in New York state are subject to the requirements of this regulation -- including non-residents. This means if a bank or entity has a location in New York that qualifies, it also falls under 23 NYCRR 500 compliance. Covered entity means “any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.”
When is the Compliance Deadline?
The NY DFS made it clear that the NYCRR 500 regulation is a priority, "It is critical for all regulated institutions that have not yet done so to move swiftly and urgently to adopt a cybersecurity program and for all regulated entities to be subject to minimum standards with respect to their programs. The number of cyber events has been steadily increasing, and estimates of the potential risk to our financial services industry are stark. Adoption of the program outlined in these regulations is a priority for New York State."
According to the New York State Department of Financial Services, "All regulated entities and licensed persons of the Department of Financial Services (DFS) were required to file a cybersecurity regulation Certification of Compliance under 23 NYCRR 500 by February 15, 2018 - seeing as it's the end of March now, you'll need something to ensure your compliance as soon as practical. Please be aware that if you hold more than one license, then you need to file a separate Certification of Compliance for each license you hold." On/before Feb. 15, 2018—the first annual certification of compliance will be due to the New York State Department of Financial Services.
The NYC DFS Cyber Compliance Requirements include:
A cybersecurity policy based on the Covered Entity’s Risk Assessment, that addresses the areas below to the extent applicable to the Covered Entity’s (or Your Business's) operations:
(a) information security;
(b) data governance and classification;
(c) asset inventory and device management;
(d) access controls and identity management;
(e) business continuity, disaster recovery, and incident response planning and resources; (f) systems operations and availability concerns;
(g) systems and network security;
(h) systems and network monitoring;
(i) systems and application development and quality assurance;
the list goes on...
(j) physical security and environmental controls;
(k) customer data privacy;
(l) vendor and Third Party Service Provider management; (m) risk assessment; and
(n) incident response.
Organizations also must appoint a CISO, "Each Covered Entity shall designate a qualified individual responsible for overseeing and implementing the Covered Entity’s cybersecurity program and enforcing its cybersecurity policy (for purposes of this Part, “Chief Information Security Officer” or “CISO”). The CISO may be employed by the Covered Entity, one of its Affiliates, or a Third Party Service Provider."
Application Security, Pen Testing, Audit Trail... it's likely that you have a lot of these cyber-related measures in place as a financial institution. However, some of these action items might be a lift for your organization, and avoiding misdirection on what the next cost-effective action is can be difficult to know for sure.
Get NYCRR 500 Compliant
We’ve talked to a lot of organizations facing the uphill battle of complying with this financial cybersecurity regulation. It’s clear that DFS Compliance is no small task, and if you’re wondering how to approach the 23 NYCRR 500 compliance, you’re likely not the only one amongst your peers. We’ve seen some organizations master it with the help of CyberStrong, and we’ve seen others struggle to figure out what the most cost-effective plan of action is for quick and thorough compliance. CyberStrong looks at the controls you must comply with and gives you a cost-impact weighted plan of action on how to get there.
Many C-Suites and Boards of Directors prioritize cybersecurity as a business concern, and practitioners can expect institutions to seek solutions that continuously track, harmonize, and automate their compliance practices over time. Using an integrated risk management program like CyberStrong can empower your organization to track not only FFIEC but other gold-standard cybersecurity frameworks alongside it. FFIEC was built upon the best practices of multiple frameworks, like the NIST CSF, COBIT, DFARS, and SOX, to name a few, and using an integrated risk management solution can harmonize those frameworks by crosswalking and automating your compliance efforts as well as benchmark against your current risk profile. If you have any questions or want to discuss how CyberStrong or Integrated Risk Management benefits financial institutions click here to schedule a free demo.
