Learn about the new NYDFS Cybersecurity Regulation and its implications for financial institutions in Data Protection 101, our series on the fundamentals of information security.
Definition of the NYDFS Cybersecurity Regulation
The NYDFS Cybersecurity Regulation (23 NYCRR 500) is a new set of regulations from the NY Department of Financial Services (NYDFS) that places new cybersecurity requirements on all covered financial institutions. The rules were released on February 16th, 2017 after two rounds of feedback from industry and the public. Covered institutions must adhere to many of the new requirements by as early as August 28, 2017.
Who is Covered under the NYDFS Cybersecurity Regulation?
The NYDFS Cybersecurity Regulation applies to all entities operating under or required to operate under DFS licensure, registration, or charter, or which are otherwise DFS-regulated, as well as, by extension, unregulated third party service providers to regulated entities. Examples of covered entities include:
- State-chartered banks
- Licensed lenders
- Private bankers
- Foreign banks licensed to operate in New York
- Mortgage companies
- Insurance companies
- Service providers
There are limited exemptions to the NYDFS Cybersecurity Regulation. Organizations that employ less than 10 people, produced less than $5 million in gross annual revenue from New York operations in each of the past three years, or hold less than $10 million in year-end total assets are exempt from certain requirements of the Regulation.
How the NYDFS Cybersecurity Regulation Works
The NYDFS Cybersecurity Regulation works by imposing strict cybersecurity rules on covered organizations, including the installment of a detailed cybersecurity plan, the designation of a Chief Information Security Officer (CISO), the enactment of a comprehensive cybersecurity policy, and the initiation and maintenance of an ongoing reporting system for cybersecurity events. These components are all made up of several sub-regulations and requirements.
NYDFS Cybersecurity Regulation Requirements
Each "Covered" Institution Must Adopt a Robust Cybersecurity Program by August 28, 2017
A cybersecurity program that complies with the new NYDFS Cybersecurity Regulation will adhere to several key requirements, aligned to the NIST Cybersecurity Framework:
- Identify all cybersecurity threats, both internal and external.
- Employ defense infrastructure to protect against those threats.
- Use a system to detect cybersecurity events.
- Respond to all detected cybersecurity events.
- Work to recover from each cybersecurity event.
- Fulfill various requirements for regulatory reporting.
Every Covered Institution Must Enact a Comprehensive Cybersecurity Policy by August 28, 2017
The NYDFS Cybersecurity Regulation requires covered institutions to instate and maintain a documented cybersecurity policy. The policy must address concerns in alignment with industry best practices and ISO 27001 standards. Most notably, the policy must cover:
- Information security
- Access controls
- Disaster recovery planning
- Systems and network security
- Customer data privacy
- Regular risk assessments
Covered Institutions Must Adhere to these Additional Requirements by August 28, 2017
Organizations covered by the NYDFS Cybersecurity Regulation are also required to:
- Designate a qualified Chief Information Security Officer (CISO) to oversee and implement the cybersecurity program and enforce policy. Organizations can use a third party to fill this role.
- Use qualified, continuously trained cybersecurity personnel to manage evolving cybersecurity threats and responses. These can be third party actors.
- Notify the NYDFS about all cybersecurity events that carry a "reasonable likelihood" of causing material harm.
- Limit access privileges. Companies covered by the regulation must monitor and limit access privileges granted to users.
Covered Institutions Must Address New Cybersecurity Challenges
Some requirements of the NYDFS Cybersecurity Regulation go above and beyond existing industry best practices. The most noteworthy are:
- Data encryption: Organizations must enact controls, including encryption of sensitive data, depending on the outcome of a risk assessment.
- Annual certification: Covered entities must complete certification every year to confirm compliance with the regulations.
- Enhanced multi-factor authentication: Covered institutions must employ multi-factor authentication for all inbound connections to the entity's network.
- Incident reporting: Covered entities must document and report all cybersecurity events.
Benefits and Drawbacks of the NYDFS Cybersecurity Regulation
The NYDFS Cybersecurity Regulation was adopted on March 1, 2017 after a long history of damaging cyber attacks and data breaches in the financial industry. While NYDFS paved the way for other states to enact much-needed cybersecurity regulation, their efforts may not go far enough. In no particular order, here are a few pros and cons surrounding the new regulation:
- The regulation has been scaled back from proposed versions, which called for the encryption of all data at rest and in transit, which many institutions argued was unnecessarily restrictive.
- According to Sam Olyaei, senior research analyst at Gartner Research, the regulation was woefully out of date even before its enactment, though he admits it's much better than regulation in place (or not in place) in other states.
- Organizations with less than 10 employees and independent contractors are considered exempt under the enacted version of the regulation.
- Small and medium-sized companies can rely on third party service providers to meet many of the regulation requirements.
Best Practices for Complying with NYDFS Cybersecurity Regulation
Financial institutions face a near-term compliance challenge in the face of new NYDFS Cybersecurity Regulation. Best practices involve meeting all the requirements in a timely manner, paying special attention to deadlines, and appointing a qualified CISO to pull together an appropriate response. In preparing for NYDFS Cybersecurity Regulation compliance, be sure to:
- Assess whether your institution classifies as "covered." There are several exemptions, but exempt organizations must file as such within 30 days of the end of the most recent fiscal year. To determine whether your organization is "covered," see the NYDFS website's "Who We Supervise" page here.
- Assemble your organization's regulatory compliance team. All covered, non-exempt financial institutions must assign a Chief Information Security Officer (CISO) by August 28th, 2017. While the CISO holds overarching responsibility for compliance, achieving and maintaining compliance is generally a job for a team rather than an individual, especially considering that the new regulations apply enterprise-wide.
- Understand your risk profile. The required Risk Assessment must be submitted by March 1, 2018. However, organizations may want to complete a risk assessment much sooner, as other requirements due by August 28, 2017 depend on the completion of the Risk Assessment.
- Adhere to all deadlines. Many provisions in the new regulation go into effect as early as August 28 of 2017, with others enacted at later dates. See the full regulation document here for clarification.
Additional Resources on the NYDFS Cybersecurity Regulation
For more information about the NYDFS Cybersecurity Regulation, visit the following resources:
- See the NYDFS "Who We Supervise" page to assess whether your institution is covered under NYDFS Cybersecurity Regulation.
- The NYSDFS regulation document is viewable in PDF form here.
- The NYSDFS Regulation FAQs page is here. It answers 14 commonly asked questions about the regulation, including questions about deadlines, requirements, and definitions.