A New Cybersecurity Compliance Requirement for Financial Institutions
The NYDFS Cybersecurity Regulation (23 NYCRR 500) is a new set of regulations from the NY Department of Financial Services (NYDFS) that places new cybersecurity requirements on all covered financial institutions. The rules were released on February 16th, 2017 after two rounds of feedback from industry and the public. Covered institutions must adhere to many of the new requirements by as early as August 28, 2017.
Who is Covered under the NYDFS Cybersecurity Regulation?
The NYDFS Cybersecurity Regulation applies to all entities operating under or required to operate under DFS licensure, registration, or charter, or which are otherwise DFS-regulated, as well as, by extension, unregulated third party service providers to regulated entities. Examples of covered entities include:
There are limited exemptions to the NYDFS Cybersecurity Regulation. Organizations that employ less than 10 people, produced less than $5 million in gross annual revenue from New York operations in each of the past three years, or hold less than $10 million in year-end total assets are exempt from certain requirements of the Regulation.
How the NYDFS Cybersecurity Regulation Works
The NYDFS Cybersecurity Regulation works by imposing strict cybersecurity rules on covered organizations, including the installment of a detailed cybersecurity plan, the designation of a Chief Information Security Officer (CISO), the enactment of a comprehensive cybersecurity policy, and the initiation and maintenance of an ongoing reporting system for cybersecurity events. These components are all made up of several sub-regulations and requirements.
NYDFS Cybersecurity Regulation Requirements
Each "Covered" Institution Must Adopt a Robust Cybersecurity Program by August 28, 2017
A cybersecurity program that complies with the new NYDFS Cybersecurity Regulation will adhere to several key requirements, aligned to the NIST Cybersecurity Framework:
Identify all cybersecurity threats, both internal and external.
Employ defense infrastructure to protect against those threats.
Use a system to detect cybersecurity events.
Respond to all detected cybersecurity events.
Work to recover from each cybersecurity event.
Fulfill various requirements for regulatory reporting.
Every Covered Institution Must Enact a Comprehensive Cybersecurity Policy by August 28, 2017
The NYDFS Cybersecurity Regulation requires covered institutions to instate and maintain a documented cybersecurity policy. The policy must address concerns in alignment with industry best practices and ISO 27001 standards. Most notably, the policy must cover:
Information security
Access controls
Disaster recovery planning
Systems and network security
Customer data privacy
Regular risk assessments
Covered Institutions Must Adhere to these Additional Requirements by August 28, 2017
Organizations covered by the NYDFS Cybersecurity Regulation are also required to:
Designate a qualified Chief Information Security Officer (CISO)
Use qualified, continuously trained cybersecurity personnel
Notify the NYDFS about all cybersecurity events
Limit access privileges.
Covered Institutions Must Address New Cybersecurity Challenges
Some requirements of the NYDFS Cybersecurity Regulation go above and beyond existing industry best practices. The most noteworthy are:
Data encryption:
Organizations must enact controls, including encryption of sensitive data, depending on the outcome of a risk assessment.
Annual certification:
Covered entities must complete certification every year to confirm compliance with the regulations.
Enhanced multi-factor authentication:
Covered institutions must employ multi-factor authentication for all inbound connections to the entity's network.
Incident reporting:
Covered entities must document and report all cybersecurity events.
Benefits and Drawbacks of the NYDFS Cybersecurity Regulation
The NYDFS Cybersecurity Regulation was adopted on March 1, 2017 after a long history of damaging cyber attacks and data breaches in the financial industry. While NYDFS paved the way for other states to enact much-needed cybersecurity regulation, their efforts may not go far enough. In no particular order, here are a few pros and cons surrounding the new regulation:
Best Practices for Complying with NYDFS Cybersecurity Regulation
Financial institutions face a near-term compliance challenge in the face of new NYDFS Cybersecurity Regulation. Best practices involve meeting all the requirements in a timely manner, paying special attention to deadlines, and appointing a qualified CISO to pull together an appropriate response. In preparing for NYDFS Cybersecurity Regulation compliance, be sure to:
Additional Resources on the NYDFS Cybersecurity Regulation
For more information about the NYDFS Cybersecurity Regulation, visit the following resources:
- See the NYDFS "Who We Supervise" page to assess whether your institution is covered under NYDFS Cybersecurity Regulation.
- The NYSDFS regulation document is viewable in PDF form here.
- The NYSDFS Regulation FAQs page is here. It answers 14 commonly asked questions about the regulation, including questions about deadlines, requirements, and definitions.