<img src="https://ws.zoominfo.com/pixel/4CagHYMZMRWAjWFEK36G" width="1" height="1" style="display: none;">
Request Demo

Financial Services

The NYDFS Cybersecurity Regulation Explained

down-arrow

In 2017 the New York State Department of Financial Services (NYDFS) created the NYDFS cybersecurity regulation 23 NYCRR 500, which held financial institutions accountable for maintaining their cybersecurity program. These regulation requirements, heavily based on the NIST Cybersecurity Framework, demand regulated entities to assess their cybersecurity risk and proactively improve them, while also allowing for flexibility based on the needs, scope, and influence of a financial institution. As such, to be compliant with New York Department of Financial Services cybersecurity regulations, organizations will need to maintain cybersecurity obligations continuously. As the threat of data breaches and cyber attacks grows by the day, so does the need for regulation to protect organizations and provide a measurable standard of operation.

The NYDFS cybersecurity regulation applies to any financial institution in operation under NYDFS licensure, including:

  • State banks
  • Licensed Lenders
  • Private Banks
  • Foreign Banks operating in New York
  • Mortgage Companies
  • Insurance companies
  • Trust companies
  • Service providers

The 23 NYCRR 500 does have limited exemptions for financial institutions with less than ten employees and less than 5 million in gross annual revenue in the past three years. Additionally, institutions that do not have any nonpublic information or sensitive data are entitled to certain exemptions as well.

Proving Compliance with NYDFS

Taking influence from the NIST CSF, an organization will need to develop a data security policy and implement an incident response plan that includes a notification system for data breaches and cybersecurity events within 72 hours. Under 23 NYCRR 500, a program must coincide with best practices that support:

  • Information Security
  • Access Controls and identity management
  • Business continuity and disaster recovery planning
  • Security and Personnel Training
  • Security of information systems
  • Network Security
  • Periodic risk assessments
  • Internal reporting and auditing
  • Data Encryption and Protection
  • Threat Feed Detection
  • Incident Response Plans
  • Multi-Factor Authentication
  • Vendor/ Third-Party Risk Assessments

Utilizing risk assessments to benchmark and assess the posture of your cybersecurity program is essential.At the end of each year, financial institutions need to complete an annual certification process in coordination with the board of directors to evaluate their cybersecurity program. At the end of this process, the organization will need to provide a Certification of Compliance with NYDFS Cybersecurity Regulation.

Utilizing an integrated risk management platform like CyberStrong can help streamline this process and many other gold standard frameworks. Integrated risk management can centralize compliance efforts, saving cybersecurity teams and Chief Information Security Officers (CISOs)valuable time, energy, and resources, bridging the gap between cybersecurity and the board to translate the importance of the organization’s cybersecurity needs fully. By integrating dashboards, patented AI, and groundbreaking reporting to your cybersecurity program, you can prove your compliance with NYDFS cybersecurity regulations and multiple other custom frameworks and controls with an audit trail in hours instead of days.

If you have any additional questions about integrated risk management or how CyberStrong can help bolster your institution’s cybersecurity objectives, give us a call at 1 800 NIST CSF or click here and request a free demo.

You may also like

November 2021 Product Update: Big ...
on December 2, 2021

  Gain visibility through expandable graphics and improved search filters!   "What is this? A dashboard made for ants? How can we be expected to report risk to our executives if ...

Kyndall Elliott
Why Your Cyber Risk Quantification ...
on November 29, 2021

Cybersecurity and risk management are essential to the success of an enterprise, but not all business units see it like that. Rather, executives and board members can see it as a ...

Enabling Risk Register Benchmarking
on November 8, 2021

Risk quantification has bridged the security world to the business world. By quantifying risk, security leaders have been able to frame cybersecurity in a business context and ...

Leveraging FAIR to Unite IT, ...
on October 29, 2021

Cyber and information security can be tough topics to digest. Adding on the element risk can make things even more confusing for those unversed in cybersecurity, leaving CISOs and ...

Modern-Day Cybersecurity ...
on October 22, 2021

A CISO is responsible for many things in an enterprise. They are in charge of establishing security and governance practices, identifying security objectives, enabling a framework ...

Aligning Security and Privacy ...
on October 8, 2021

For too long, companies have made the mistake of separating privacy and security regulation. This has led to numerous security gaps that cybercriminals have exploited and ...