NYDFS Cybersecurity Requirements for Financial Institutions
In 2017 the New York State Department of Financial Services created the NYDFS cybersecurity regulation 23 NYCRR 500, which held financial institutions accountable for maintaining their cybersecurity program. The goal of the regulation is to ensure the safeguarding of sensitive customer data and to promote the integrity of the information technology systems of regulated entities.
As a filling entity you must comply with:
All regulated entities will need to develop a cybersecurity policy and implement an incident response plan that includes a notification system for data breaches and cybersecurity events within 72 hours.
NYDFS 23 NYCRR 500 Cybersecurity Requirements are incredibly confusing, and the fines for not being compliant can be debilitating.
The DFS 23 NYCRR 500 applies to all regulated entities meaning “any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the financial Services Law”, including:
- State banks
- Licensed Lenders
- Private Banks
- Foreign Banks operating in New York
- Mortgage Companies
- Insurance companies
- Trust companies
- Service providers
The cybersecurity regulations do not specifically detail any potential penalties or the impact of noncompliance. Instead, they “will be enforced by the superintendent [of NYDFS] pursuant to, and [are] not intended to limit, the superintendent’s authority under any applicable laws.”
Enforcement actions most likely would arise pursuant to the general authority of NYDFS under the New York Banking Law, which authorizes the superintendent of NYDFS to require a regulated entity to pay a penalty “for any violation of this chapter [or] any regulation promulgated thereunder” (which would include the cybersecurity regulations).
Penalties pursuant to the New York Banking Law are authorized up to (a) $2,500 per day during which a violation continues, (b) $15,000 per day in the event of any reckless or unsound practice or pattern of misconduct, or (c) $75,000 per day in the event of a knowing and willful violation.
Cybersecurity Regulation Exemptions
Section 19 of the DFS cybersecurity regulation contains several exemptions. Most exemptions are limited in nature and require Covered Entities to still comply with some provisions of the Regulation. If you apply for an exemption, you still have to (a) File a Cybersecurity Notice of Exemption, (b) Implement the required elements of the Cyber security program, and (c) Have in place Cyber security policies and response system.
Proving Compliance with NYDFS
Utilizing risk assessments to benchmark and assess the posture of your cybersecurity program is essential. At the end of each year, regulated institutions need to complete an annual certification process in coordination with the board of directors to evaluate their cybersecurity program.
At the end of this process, the organization will need to provide a Certification of Compliance with NYDFS Cybersecurity Regulation.
Under 23 NYCRR 500, a program must coincide with best practices that support:
- Information Security
- Access Controls and identity management
- Business continuity and disaster recovery planning
- Security and Personnel Training
- Security of information systems
- Network Security
- Periodic risk assessments
- Internal reporting and auditing
- Data Encryption and Protection
- Threat Feed Detection
- Incident Response Plans
- Multi-Factor Authentication
- Vendor/Third-Party Risk Assessments