NYDFS Cybersecurity Regulation (23 NYCRR 500) is a set of regulations from the NY Department of Financial Services (NYDFS) which took effect on March 1, 2017 that requires financial institutions to enact a complete cyber security program.
23 NYCRR 500 Regulation: Who does it apply to?
Any entity that is supervised by the Department of Financial Services, including:
- Credit Unions
- Insurance Companies
- Investment Companies
- Mortgage Lenders
- Financial Service Centers
- Mortgage Lenders
- Service Providers
- Private Bankers
- Brokers / Dealers
23 NYCRR 500 Regulation: Who is exempt?
There are limited exemptions to the NYDFS Cybersecurity Regulation on covered entities. This does not mean that an entity is completely exempt from the 23 NYCRR 500 regulation, just that certain sections may not apply. These exemptions are:
- fewer than 10 employees, including any independent contractors, of the Covered Entity or its Affiliates located in New York or responsible for business of the Covered Entity, or
- less than $5,000,000 in gross annual revenue in each of the last three fiscal years from New York business operations of the Covered Entity and its Affiliates, or
- less than $10,000,000 in year-end total assets
DFS Certificate of Compliance:
Per the December 21, 2018 DFS memorandum on the NYCRR cybersecurity regulation 23 NYCRR 500 / NYDFS certificate of compliance: “DFS’s regulation requires each entity to conduct an annual review and assessment of its cybersecurity program’s achievements, deficiencies and overall compliance with regulatory standards and to certify the institution’s compliance with the regulation on an annual basis. The DFS compliance certification is a critical governance pillar for the cybersecurity program of all DFS regulated entities. The first certification deadline was February 15, 2018, which was successful and provided DFS with information from which we have been working to improve our processes. DFS currently is preparing for the second annual certifications of compliance due by February 15, 2019.”
Some of the requirements for the NYDFS cybersecurity regulation include:
- Maintaining a complete cyber security program which includes policies and procedures on how to detect, respond, and recover from a cyber security event, as well as how to fulfill applicable regulatory reporting obligations
- Implementing a Chief Information Security Officer (CISO)
- Maintaining a written cyber security policy
- Perform periodic penetration testing for compliance and vulnerability assessments
- Perform periodic risk assessments of information systems
This list may appear to be quite daunting. However, Stronghold Cyber Security can assist with ANY and EVERY aspect of the NYDFS Cybersecurity Regulation, including the ongoing requirements of periodic assessments and penetration testing. We not only GET your financial institution 23 NYCRR 500 compliant, we can KEEP it there!
The time is up: March 1, 2019 is the final deadline for NCYRR 500 compliance.
By March 1, 2019, all banks, insurance companies, and other financial services institutions and licensees regulated by DFS will be required to have a robust cybersecurity program in place that is designed to protect consumers’ private data; a written policy or policies that are approved by the Board of Directors or a Senior Officer; a Chief Information Security Officer to help protect data and systems; and controls and plans in place to help ensure the safety and soundness of New York’s financial services industry including encryption and multifactor authentication.