Request Demo

Financial Services

NYDFS Implementation Grace Period Marks Strengthening Of Vendor Security

down-arrow

Following the Equifax breach and growing concerns about the posture of the financial industry, New York State Department of Financial Services (NYDFS) released the initial proposal for what would become 23 NYCRR 500. 23 NYCRR 500 is designed to foster and standardize cybersecurity across the financial services industry in New York.

Overview of 23 NYCRR 500

NYDFS, under its state law authority, released the initial documentation of the new cybersecurity regulations in fall of 2016. The regulation is “designed to promote the protection of customer information as well as the information technology systems of regulated entities…Senior management must take this issue seriously and be responsible for the organization’s cybersecurity program and file an annual certification confirming compliance with these regulations.”

The New York Department of Financial Services recognized that approaches to cybersecurity were too disjointed across a critical industry for many end customers and that the financial industry must lead the way in protecting customers data and dollars.

23 NYCRR 500 is slightly different from similar industry regulations, such as the DFARS mandate for DoD contractors, in that the requirements are not explicitly based on a standard framework. However, reviewing the requirements of what NYDFS defines as a suitable cybersecurity program patterns start to emerge:

(1) identify and assess internal and external cybersecurity risks that may threaten the security or integrity of Nonpublic Information stored on the Covered Entity’s Information Systems;

(2) use defensive infrastructure and the implementation of policies and procedures to protect the Covered Entity’s Information Systems, and the Nonpublic Information stored on those Information Systems, from unauthorized access, use or other malicious acts;

(3) detect Cybersecurity Events;

(4) respond to identified or detected Cybersecurity Events to mitigate any negative effects;

(5) recover from Cybersecurity Events and restore normal operations and services; and

(6) fulfill applicable regulatory reporting obligations.

That to us appears to be similar language found in the five functions of the NIST Cybersecurity Framework. Alongside a derivative of the CSF, 23 NYCRR 500 mandates documented policy standards for data management and security. Furthermore, compliance requires periodic risk assessments and penetration testing, as well as an extensive list of vendor risk management practices.

23 NYCRR 500 Rollout

The NYDFS regulation rollout has been gradual since it was officially implemented in 2017. Organizations that are required to comply had to be compliant by August 28, 2017. Since then organizations covered by the regulation have had to report periodically and deliver documentation on remediation efforts.

Why Now?

So if 23 NYCRR 500 has been in effect for over two years, why is it still making waves in the cybersecurity industry? Remember those extensive vendor risk management practices included in the regulation? They’re why.

March 1, 2019 marked two years since the law came into effect and that was the deadline for required organizations to implement the necessary vendor risk practices including:

  • The identification and risk assessment of third-party service providers
  • A minimum standard to be met by third-party service providers in order to do business with the covered entity
  • Due diligence processes used to evaluate the adequacy of third-party cybersecurity practices
  • Periodic risk assessment of third parties

This has been the the conclusion of the rollout for the regulation and it has caused many organizations to rethink how they approach their cybersecurity practices.

Miss the deadline for NYDFS 23 NYCRR500? Download our NYDFS Compliance Guide to get started.

You may also like

Integrating GRC: Governance, ...
on June 6, 2019

In our Integrating Governance Risk and Compliance series, CyberSaint leadership explores the process through which cybersecurity leaders can reconfigure their organizations to ...

Jerry Layden
Critical Capabilities of Cyber ...
on June 4, 2019

As Boards and CEOs start taking a greater concern with the security posture of their enterprise, CISOs and information security teams are being faced with translating their cyber ...

Integrating Governance, Risk, and ...
on May 30, 2019

When Gartner released the magic quadrant for integrated risk management (IRM) in 2018 rather than for governance risk and compliance (GRC), members of the information security ...

An Integrated Risk Management ...
on May 28, 2019

As cybersecurity is elevated to a Board- and CEO-level issue, the role it plays in overall enterprise risk management is is becoming more apparent. With that comes a need for an ...

Using NIST 800-30 To Implement The ...
on May 23, 2019

The National Institutes of Standard and Technology’s Risk Management Framework (RMF) is a foundational aspect to managing cybersecurity risk. When coupled with the NIST ...

NIST Cybersecurity Framework Tool ...
on May 21, 2019

For almost all organizations large and small the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) represents the gold standard for managing ...