In 2017 the New York State Department of Financial Services created the NYDFS cybersecurity regulation 23 NYCRR 500, which held financial institutions accountable for maintaining their cybersecurity program. The goal of the regulation is to ensure the safeguarding of sensitive customer data and to promote the integrity of the information technology systems of regulated entities.
All regulated entities will need to develop a cybersecurity policy and implement an incident response plan that includes a notification system for data breaches and cybersecurity events within 72 hours.
The DFS 23 NYCRR 500 applies to all regulated entities meaning “any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the financial Services Law”, including:
The cybersecurity regulations do not specifically detail any potential penalties or the impact of noncompliance. Instead, they “will be enforced by the superintendent [of NYDFS] pursuant to, and [are] not intended to limit, the superintendent’s authority under any applicable laws.”
Enforcement actions most likely would arise pursuant to the general authority of NYDFS under the New York Banking Law, which authorizes the superintendent of NYDFS to require a regulated entity to pay a penalty “for any violation of this chapter [or] any regulation promulgated thereunder” (which would include the cybersecurity regulations).
Penalties pursuant to the New York Banking Law are authorized up to (a) $2,500 per day during which a violation continues, (b) $15,000 per day in the event of any reckless or unsound practice or pattern of misconduct, or (c) $75,000 per day in the event of a knowing and willful violation.
Section 19 of the DFS cybersecurity regulation contains several exemptions. Most exemptions are limited in nature and require Covered Entities to still comply with some provisions of the Regulation. If you apply for an exemption, you still have to (a) File a Cybersecurity Notice of Exemption, (b) Implement the required elements of the Cyber security program, and (c) Have in place Cyber security policies and response system.
You are entitled to this limited exemption when your business has fewer than 10 employees, including independent contractors. You must still design and implement a Cybersecurity program, including submitting an annual Certification of Compliance.
You are entitled to this limited exemption when your business has less than $5,000,000 in gross annual revenue in each of the last 3 fiscal years. You must still design and implement a Cybersecurity program, including submitting an annual Certification of Compliance.
You are entitled to this limited exemption when your business has less than $10,000,000 in year-end total assets. You must still design and implement a Cybersecurity program, including submitting an annual Certification of Compliance.
Utilizing risk assessments to benchmark and assess the posture of your cybersecurity program is essential. At the end of each year, regulated institutions need to complete an annual certification process in coordination with the board of directors to evaluate their cybersecurity program.
At the end of this process, the organization will need to provide a Certification of Compliance with NYDFS Cybersecurity Regulation.
Under 23 NYCRR 500, a program must coincide with best practices that support: