What is the NYDFS Cybersecurity Regulation? A Cybersecurity Compliance Requirement for Financial Institutions
Learn about the new NYDFS Cybersecurity Regulation and its implications for financial institutions in Data Protection 101, our series on the fundamentals of information security.
Definition of the NYDFS Cybersecurity Regulation
The NYDFS Cybersecurity Regulation (23 NYCRR 500) is a new set of regulations from the NY Department of Financial Services (NYDFS) that places cybersecurity requirements on all covered financial institutions. The rules were released on February 16th, 2017 after two rounds of feedback from the industry and the public and includes 23 sections outlining the requirements for developing and implementing an effective cybersecurity program, requiring covered institutions to assess their cybersecurity risks and develop plans to proactively address those risks. The NYDFS Cybersecurity Regulation included a phased implementation process, with four distinct phases allowing organizations time to implement more robust policies and controls.
Who is Covered Under the NYDFS Cybersecurity Regulation?
The NYDFS Cybersecurity Regulation applies to all entities operating under or required to operate under DFS licensure, registration, or charter, or which are otherwise DFS-regulated, as well as, by extension, unregulated third-party service providers to regulated entities. Examples of covered entities include:
- State-chartered banks
- Licensed lenders
- Private bankers
- Foreign banks licensed to operate in New York
- Mortgage companies
- Insurance companies
- Service providers
There are limited exemptions to the NYDFS Cybersecurity Regulation. Organizations that employ less than 10 people, produced less than $5 million in gross annual revenue from New York operations in each of the past three years, or hold less than $10 million in year-end total assets are exempt from certain requirements of the Regulation.
How the NYDFS Cybersecurity Regulation Works
The NYDFS Cybersecurity Regulation works by imposing strict cybersecurity rules on covered organizations, including the installment of a detailed cybersecurity plan, the designation of a Chief Information Security Officer (CISO), the enactment of a comprehensive cybersecurity policy, and the initiation and maintenance of an ongoing reporting system for cybersecurity events. These components are all made up of several sub-regulations and requirements.
NYDFS Cybersecurity Regulation Requirements
A cybersecurity program that complies with the new NYDFS Cybersecurity Regulation will adhere to several key requirements, aligned to the NIST Cybersecurity Framework:
- Identify all cybersecurity threats, both internal and external.
- Employ defense infrastructure to protect against those threats.
- Use a system to detect cybersecurity events.
- Respond to all detected cybersecurity events.
- Work to recover from each cybersecurity event.
- Fulfill various requirements for regulatory reporting.
CYBERSECURITY POLICY DESIGN
The initial phase of the NYDFS Cybersecurity Regulation went into effect on February 15, 2018 and requires covered organizations to develop a cybersecurity policy, including an incident response plan that includes data breach notifications within 72 hours. The policy must address concerns in alignment with industry best practices and ISO 27001 standards. Most notably, the policy must cover:
- Information security
- Access controls
- Disaster recovery planning
- Systems and network security
- Customer data privacy
- Regular risk assessments
Phase two, which went into effect on March 1, 2018, requires CISOs to prepare an annual report that includes:
- The organization’s cybersecurity policies and procedures
- The organization’s security risks
- The effectiveness of the organization’s existing cybersecurity measures
Covered institutions are required to develop and implement a cybersecurity program that continuously evaluates vulnerabilities, which not only informs the annual report but also enables the organization to develop proactive responses to threats.
Phase three, which went into effect on September 3, 2018, requires covered institutions to have a comprehensive cybersecurity program in place that contains several key elements, including:
- An audit trail that reflects threat detection and response activities
- Written documentation of procedures, standards, and guidelines for in-house applications as well as procedures for evaluating third-party applications
- Detailed data retention policy documentation, including how non-public personal information is disposed
- Encryption and other robust security control measures
THIRD PARTY SECURITY
The final remaining requirement was effective as of March 1, 2019. This requirement states that covered institutions are to finalize their policies regarding any third party which could be given permissions to access systems and files covered by the regulation. Covered financial institutions are required to develop a written policy for third-party security that details:
- Risk assessment of third-party service providers
- The covered financial institution’s security requirements of third-party service providers that must be met in order to conduct business with that entity
- Processes for evaluating the effectiveness of a third-party service provider’s security practices
- Periodic assessments of third-party policies and controls
Organizations covered by the NYDFS Cybersecurity Regulation are also required to:
- Use qualified, continuously trained cybersecurity personnel to manage evolving cybersecurity threats and responses. These can be third party actors.
- Notify the NYDFS about all cybersecurity events that carry a "reasonable likelihood" of causing material harm.
- Limit access privileges. Companies covered by the regulation must monitor and limit access privileges granted to users.
Covered Institutions Must Address New Cybersecurity Challenges
Some requirements of the NYDFS Cybersecurity Regulation go above and beyond existing industry best practices. The most noteworthy are:
- Data encryption: Organizations must enact controls, including encryption of sensitive data, depending on the outcome of a risk assessment.
- Annual certification: Covered entities must complete certification every year to confirm compliance with the regulations.
- Enhanced multi-factor authentication: Covered institutions must employ multi-factor authentication for all inbound connections to the entity's network.
- Incident reporting: Covered entities must document and report all cybersecurity events.
Consequences and Penalties for NYDFS Cybersecurity Regulation Violations
As the regulation currently sits, there are no details regarding fines for violations. However, penalties will be calculated for violations, leaving the amount unknown for covered entities. Once the regulation is fully in force in the Spring of 2019, violations may be alleged and founded. The fees and other ramifications may become public knowledge if such violations occur.
Note: When publicly questioned about the language and fees required of violators, drafters of the NYDFS offered no further explanation.
Benefits and Drawbacks of the NYDFS Cybersecurity Regulation
The NYDFS Cybersecurity Regulation was adopted on March 1, 2017 after a long history of damaging cyber attacks and data breaches in the financial industry. While NYDFS paved the way for other states to enact much-needed cybersecurity regulation, their efforts may not go far enough. In no particular order, here are a few pros and cons surrounding the new regulation:
- The regulation has been scaled back from proposed versions, which called for the encryption of all data at rest and in transit, which many institutions argued was unnecessarily restrictive.
- According to Sam Olyaei, senior research analyst at Gartner Research, the regulation was woefully out of date even before its enactment, though he admits it's much better than regulation in place (or not in place) in other states.
- Organizations with less than 10 employees and independent contractors are considered exempt under the enacted version of the regulation.
- Small and medium-sized companies can rely on third party service providers to meet many of the regulation requirements.
Best Practices for Complying with NYDFS Cybersecurity Regulation
Financial institutions face a near-term compliance challenge in the face of new NYDFS Cybersecurity Regulation. Best practices involve meeting all the requirements in a timely manner, paying special attention to deadlines, and appointing a qualified CISO to pull together an appropriate response. In preparing for NYDFS Cybersecurity Regulation compliance, be sure to:
- Assess whether your institution classifies as "covered." There are several exemptions, but exempt organizations must file as such within 30 days of the end of the most recent fiscal year. To determine whether your organization is "covered," see the NYDFS website's "Who We Supervise" page here.
- Assemble your organization's regulatory compliance team. All covered, non-exempt financial institutions should have assigned a Chief Information Security Officer (CISO). While the CISO holds overarching responsibility for compliance, achieving and maintaining compliance is generally a job for a team rather than an individual, especially considering that the new regulations apply enterprise-wide.
- Understand your risk profile. The required Risk Assessment was required to be submitted by March 1, 2018. However, organizations should be conducting ongoing, periodic risk assessments to identify vulnerabilities and respond proactively to emerging threats.
- Adhere to all deadlines. The final provisions in the new regulation went into effect on March 1, 2019. See the full regulation document here for clarification.
Additional Resources on the NYDFS Cybersecurity Regulation
For more information about the NYDFS Cybersecurity Regulation, visit the following resources:
- See the NYDFS "Who We Supervise" page to assess whether your institution is covered under NYDFS Cybersecurity Regulation.
- The NYDFS regulation document is viewable in PDF form here.
- The NYDFS Regulation FAQs page is here. It answers 14 commonly asked questions about the regulation, including questions about deadlines, requirements, and definitions.