NYDFS Cybersecurity Regulation

Defining, achieving, and maintaining compliance with 23 NYCRR Part 500

At a Glance:

The NYDFS Cybersecurity Regulation requires New York insurance companies, banks, and other regulated financial services institutions—including agencies and branches of non-US banks licensed in the state of New York—to assess their cybersecurity risk profile. The NYDFS Cybersecurity regulation is designed to protect consumers and to “ensure the safety and soundness of the institution,” as well as New York State’s financial services industry.

The regulation went into effect on March 1, 2017, with implementation to occur within 180 days (August 28, 2017); it affects entities regulated by the New York Department of Financial Services (DFS). Covered entities must also implement and maintain a comprehensive cybersecurity program in accordance with a specific compliance timeline.

What Is the NYDFS Cybersecurity Regulation?

The NYDFS issued the final Cybersecurity Regulation (23 NYCRR Part 500) in response to the growing sophistication of cybercriminals and the increasingly volatile cybersecurity climate facing US financial institutions. The goal of the regulation is to ensure the safeguarding of sensitive customer data and to promote the integrity of the information technology systems of regulated entities.

The regulation requires supervised entities to assess their cybersecurity risk profiles and implement a comprehensive plan that recognizes and mitigates that risk. Certain regulatory minimum standards have been set to assist organizations in preventing data breaches, including:

  • Risk-based minimum standards for information technology systems, including data protection and encryption, access controls, and penetration testing.
  • Requirements that a program is adequately funded, overseen by a chief information security officer (which can include a third-party service provider), and implemented by qualified cybersecurity personnel.
  • Effective incident response plans that include preserving data in order to respond to data breaches and timely notice to the NYDFS of material events.
  • Accountability provided by identification and documentation of deficiencies, remediation plans, and certifications of compliance on an annual basis.

Changes to the Final Regulation

You might already be familiar with the original regulation rules that were proposed, but it’s important to note that the final regulation includes some important changes, including:

  • Audit trails—Data retention requirements were reduced from five to three years.
  • Notice—Covered Entities’ policies and procedures regarding notice provided by Third Party Service Providers affect only the Covered Entities’ Nonpublic Information being held by that Third Party Service Provider.
  • Reporting—Clarification of when a Covered Entity must provide notice of a cybersecurity event to the NYDFS.
  • Exemptions—The limited exemptions now include the gross annual revenue and the number of employees of a Covered Entity’s affiliates in New York.
  • Insurance—Exemption rules clarified for companies regulated under the insurance laws of New York.

Who Is Affected?

The NYDFS Cybersecurity Regulation covers any organization that is regulated by the Department of Financial Services. This includes:

  • Licensed lenders
  • State-chartered banks
  • Trust companies
  • Service contract providers
  • Private bankers
  • Mortgage companies
  • Insurance companies doing business in New York
  • Non-U.S. banks licensed to operate in New York

The regulation provides an exemption for organizations with:

  • Fewer than 10 employees
  • Less than $5 million in gross annual revenue for three years, or
  • Less than $10 million in year-end total assets

How Do Businesses Become Compliant?

The clock started ticking when the NYDFS Cybersecurity Regulation 23 NYCRR Part 500 took effect on March 1, 2017. There are multiple milestones and deadlines to hit in the first year alone, and organizations looking to become compliant will need to pay close attention to the calendar.

Covered Entities are required to be in compliance with certain parts of the regulation as soon as August 28, 2017, and must file their first Certification of Compliance with the NYDFS superintendent’s office by February 15, 2018.  

Important steps in achieving compliance are outlined according to the deadlines below. Note: this is just a partial list—a complete list with additional sections and deadlines can be found here.

Important Dates

March 1, 2017 – Effective date of final 23 NYCRR Part 500. August 28, 2017 – 180-day mark: Regulated entities must be in compliance with 23 NYCRR Part 500 unless otherwise noted.

To achieve and maintain compliance, by this date a Covered Entity must:

  • Establish an Effective Cybersecurity Program—Section 500.02
  • Create and Maintain a Written Cybersecurity Policy—Section 500.03
  • Designate a Chief Information Security Officer (CISO)— Section 500.04
  • Hire Qualified Cybersecurity Personnel or Utilize Third Party Providers— Section 500.10
  • Establish an Incident Response Plan— Section 500.16

February 15, 2018 – Covered Entities must submit their first Certification of Compliance under 23 NYCRR 500.17(b) on or before this date. March 1, 2018 – One-year mark. To maintain compliance, by this date organizations must:

  • Report: CISO Must File Cybersecurity Report— Section 500.04(b)
  • Regularly Conduct Penetration Testing and Vulnerability Management— Section 500.05
  • Conduct Bi-annual Risk Assessments— Section 500.09

September 3, 2018 – 1.5-year mark. By this date, Covered Entities must prove they’ve:

  • Maintained an Audit Trail—500.06
  • Implemented Application Security Protocols—500.08

Achieving and maintaining cybersecurity compliance is a complex process, but it doesn’t have to be a difficult or stressful one. There are resources available to help you take a proactive, data-driven approach to comprehensive cybersecurity that can help bring your organization into full compliance to protect your business’s valuable data and safeguard your customer’s sensitive information.