Following the Equifax breach and growing concerns about the posture of the financial industry, New York State Department of Financial Services (NYDFS) released the initial proposal for what would become 23 NYCRR 500. 23 NYCRR 500 is designed to foster and standardize cybersecurity across the financial services industry in New York.
Overview of 23 NYCRR 500
NYDFS, under its state law authority, released the initial documentation of the new cybersecurity regulations in fall of 2016. The regulation is “designed to promote the protection of customer information as well as the information technology systems of regulated entities…Senior management must take this issue seriously and be responsible for the organization’s cybersecurity program and file an annual certification confirming compliance with these regulations.”
The New York Department of Financial Services recognized that approaches to cybersecurity were too disjointed across a critical industry for many end customers and that the financial industry must lead the way in protecting customers data and dollars.
23 NYCRR 500 is slightly different from similar industry regulations, such as the DFARS mandate for DoD contractors, in that the requirements are not explicitly based on a standard framework. However, reviewing the requirements of what NYDFS defines as a suitable cybersecurity program patterns start to emerge:
(1) identify and assess internal and external cybersecurity risks that may threaten the security or integrity of Nonpublic Information stored on the Covered Entity’s Information Systems;
(2) use defensive infrastructure and the implementation of policies and procedures to protect the Covered Entity’s Information Systems, and the Nonpublic Information stored on those Information Systems, from unauthorized access, use or other malicious acts;
(3) detect Cybersecurity Events;
(4) respond to identified or detected Cybersecurity Events to mitigate any negative effects;
(5) recover from Cybersecurity Events and restore normal operations and services; and
(6) fulfill applicable regulatory reporting obligations.
That to us appears to be similar language found in the five functions of the NIST Cybersecurity Framework. Alongside a derivative of the CSF, 23 NYCRR 500 mandates documented policy standards for data management and security. Furthermore, compliance requires periodic risk assessments and penetration testing, as well as an extensive list of vendor risk management practices.
23 NYCRR 500 Rollout
The NYDFS regulation rollout has been gradual since it was officially implemented in 2017. Organizations that are required to comply had to be compliant by August 28, 2017. Since then organizations covered by the regulation have had to report periodically and deliver documentation on remediation efforts.
So if 23 NYCRR 500 has been in effect for over two years, why is it still making waves in the cybersecurity industry? Remember those extensive vendor risk management practices included in the regulation? They’re why.
March 1, 2019 marked two years since the law came into effect and that was the deadline for required organizations to implement the necessary vendor risk practices including:
- The identification and risk assessment of third-party service providers
- A minimum standard to be met by third-party service providers in order to do business with the covered entity
- Due diligence processes used to evaluate the adequacy of third-party cybersecurity practices
- Periodic risk assessment of third parties
This has been the the conclusion of the rollout for the regulation and it has caused many organizations to rethink how they approach their cybersecurity practices.
Miss the deadline for NYDFS 23 NYCRR500? Download our NYDFS Compliance Guide to get started.