NYDFS Cybersecurity Regulation: What financial institutions should know

Financial institutions are aware of their duty to protect their systems from countless cyberthreats. They’re also constantly under pressure to meet regulatory requirements because they know that there are massive consequences if they fail to do so.

In 2017, the New York Department of Financial Services (NYDFS) set forth new rules that aim to strengthen financial institutions’ cybersecurity programs. Here’s what financial institutions need to know about the new regulation.

What is the NYDFS Cybersecurity Regulation?

The NYDFS Cybersecurity Regulation (“23 NYCRR 500”) is a set of regulations that require financial institutions to evaluate their cybersecurity risks and to develop strategies that will protect them against those risks.

State-chartered banks, private bankers, licensed lenders, insurance companies, mortgage companies, and similar institutions are required to follow the regulations, which include:

• Installing a detailed cybersecurity plan
• Assigning a Chief Information Security Office (CISO)
• Enacting a comprehensive cybersecurity policy
• Initiating and maintaining a system that reports relevant cybersecurity events

NYDFS-regulated entities must comply with the regulations, but those with less than 10 employees are exempted. Third-party services providers, which include IT partners that work with regulated entities, must also comply with the regulations.

Those who are familiar with the EU’s GDPR will recognize similar principles on data security, risk assessment, documentation of information security policies, and designating a CISO in terms of protecting personally identifiable information.

What are the requirements?

Covered institutions must align their cybersecurity policies according to the five core functions of the National Institute of Standards and Technology (NIST) Cybersecurity Framework, which US private organizations use when evaluating and improving their cyberattack prevention, detection, and response systems.

To comply, organizations’ cybersecurity program must include provisions to:

• Identify internal and external cyberthreats
• Build a defense system that shields against said threats
• Develop protocols for detecting a cybersecurity event
• Respond to all detected cybersecurity events
• Recover from cybersecurity events by restoring system capabilities affected by the event
• Report these events

What are the phases of the regulation?

The implementation of 23 NYCRR 500 was in phases, covering policy design, reporting, program development, and third-party security concerns.

1. The first phase involved strict rules that need to be followed in case of an actual breach. Covered entities must make sure that their cybersecurity policy includes an incident response that guarantees breach notifications within 72 hours. Moreover, their policies must address factors like information security, access controls, disaster recovery planning, systems and network security, customer data privacy, and regular risk assessments.

   The policy must be in accordance with ISO 27001 standards and industry best practices.

2. The second phase required CISOs to prepare an annual report that covers the organization’s cybersecurity policies and procedures, security risks, and the effectiveness of their existing cybersecurity measures. In addition, organizations were required to continuously evaluate system vulnerabilities.

3. During the third phase, financial organizations were required to integrate certain elements to their cybersecurity programs, including a threat detection-and-response audit trail, written documentation of procedures for in-house applications and evaluating third-party applications, data retention policy documentation, and encryption and other security control measures.

4. The final phase initiated policies on giving permissions to access systems and data to third parties. To comply, covered entities must create a written policy outlining a risk assessment of third-party providers, the security requirements that third-party providers must meet before they conduct business with the financial firm, processes for evaluating third parties’ effectiveness, and regular assessments of third parties’ policies and controls.

Requirements involving the use of trained cybersecurity personnel, notifying the NYDFS of all potential security events that might cause significant harm, and limiting access privileges were also introduced in phase four.

Are there drawbacks?

With the implementation of 23 NYCRR 500, covered financial institutions are compelled to address key security challenges and impose critical measures such as: enact stringent controls, primarily data encryption; complete annual certification; enable multifactor authentication; and document and report all cybersecurity incidents.

One of the perceived drawbacks of the regulation concerns the ability of covered entities’ to comply with all of the requirements, which some perceive as being too restrictive. And based on one analysis, the regulations’ mandates may be a bit outdated.

However, New York state’s regulation also contains well-thought-out rules compared to those implemented in other states. And although it’s inevitable that some businesses will struggle with compliance, they will reap numerous benefits from complying with tightly controlled cybersecurity best practices.

If your SMB anticipates struggling to meet all the requirements or have questions about 23 NYCRR 500, get in touch with Hudson Valley IT Services’ cybersecurity experts. We have successfully handled and mitigated a variety of cybersecurity issues for our clients, and we’d like to do the same for you. Call us today to get started.