Request Demo

Financial Services

NYDFS Implementation Grace Period Marks Strengthening Of Vendor Security

down-arrow

Following the Equifax breach and growing concerns about the posture of the financial industry, New York State Department of Financial Services (NYDFS) released the initial proposal for what would become 23 NYCRR 500. 23 NYCRR 500 is designed to foster and standardize cybersecurity across the financial services industry in New York.

Overview of 23 NYCRR 500

NYDFS, under its state law authority, released the initial documentation of the new cybersecurity regulations in fall of 2016. The regulation is “designed to promote the protection of customer information as well as the information technology systems of regulated entities…Senior management must take this issue seriously and be responsible for the organization’s cybersecurity program and file an annual certification confirming compliance with these regulations.”

The New York Department of Financial Services recognized that approaches to cybersecurity were too disjointed across a critical industry for many end customers and that the financial industry must lead the way in protecting customers data and dollars.

23 NYCRR 500 is slightly different from similar industry regulations, such as the DFARS mandate for DoD contractors, in that the requirements are not explicitly based on a standard framework. However, reviewing the requirements of what NYDFS defines as a suitable cybersecurity program patterns start to emerge:

(1) identify and assess internal and external cybersecurity risks that may threaten the security or integrity of Nonpublic Information stored on the Covered Entity’s Information Systems;

(2) use defensive infrastructure and the implementation of policies and procedures to protect the Covered Entity’s Information Systems, and the Nonpublic Information stored on those Information Systems, from unauthorized access, use or other malicious acts;

(3) detect Cybersecurity Events;

(4) respond to identified or detected Cybersecurity Events to mitigate any negative effects;

(5) recover from Cybersecurity Events and restore normal operations and services; and

(6) fulfill applicable regulatory reporting obligations.

That to us appears to be similar language found in the five functions of the NIST Cybersecurity Framework. Alongside a derivative of the CSF, 23 NYCRR 500 mandates documented policy standards for data management and security. Furthermore, compliance requires periodic risk assessments and penetration testing, as well as an extensive list of vendor risk management practices.

23 NYCRR 500 Rollout

The NYDFS regulation rollout has been gradual since it was officially implemented in 2017. Organizations that are required to comply had to be compliant by August 28, 2017. Since then organizations covered by the regulation have had to report periodically and deliver documentation on remediation efforts.

Why Now?

So if 23 NYCRR 500 has been in effect for over two years, why is it still making waves in the cybersecurity industry? Remember those extensive vendor risk management practices included in the regulation? They’re why.

March 1, 2019 marked two years since the law came into effect and that was the deadline for required organizations to implement the necessary vendor risk practices including:

  • The identification and risk assessment of third-party service providers
  • A minimum standard to be met by third-party service providers in order to do business with the covered entity
  • Due diligence processes used to evaluate the adequacy of third-party cybersecurity practices
  • Periodic risk assessment of third parties

This has been the the conclusion of the rollout for the regulation and it has caused many organizations to rethink how they approach their cybersecurity practices.

Miss the deadline for NYDFS 23 NYCRR500? Download our NYDFS Compliance Guide to get started.

You may also like

Contextualize Quantified Cyber ...
on April 11, 2019

Now more than ever, CISO’s are being tasked with delivering hard metrics around an enterprise’s technology and digital risk. While this is nothing new for seasoned IT ...

NYDFS Implementation Grace Period ...
on April 9, 2019

Following the Equifax breach and growing concerns about the posture of the financial industry, New York State Department of Financial Services (NYDFS) released the initial ...

CEO's - Do You Know Where That ...
on April 5, 2019

It is no secret that cybersecurity has mystified many members of the C-suite since the function was introduced. With headlines dominated by breaches and hearings of information ...

Jerry Layden
Carbon Black Report Indicates ...
on April 2, 2019

In their third Global Incident Response Threat Report our Massachusetts neighbor, Carbon Black, illustrates not only the top industries for cyber attack but a deeply concerning ...

Legacy GRC And The Sunk Cost ...
on March 28, 2019

Last month, we covered how legacy GRC products and new integrated risk management (IRM) solutions can co-exist and in fact compliment each other. That said, in order for them to ...

Alison Furneaux
What To Expect From The Imminent ...
on April 6, 2019

While the NIST Privacy Framework may be the headliner for the most anticipated new publication from the National Institute of Standards and Technology, there are two imminent ...