23 NYCRR 500 - What the NYDFS Law Means for Financial Services Organizations

Gene Villeneuve

In recent times, cybersecurity threats have grown from periodic attacks to daily attacks from outsiders and unwilling or unknowing insiders. A recent Accenture survey and report finds that “most surveyed banks are confident, if not overconfident in the ability to protect their enterprise. Yet, 1 in 3 focused breach attempts succeed”.  

The State of New York is the first state to introduce a groundbreaking cybersecurity regulation to protect the financial services critical infrastructure. The NY Department of Financial Services (NYDFS) introduced the new NYDFS Cybersecurity Regulation (23 NYCRR 500) that imposes new cybersecurity requirements on all covered financial institutions. The rules were introduced on February 16, 2017 after two rounds of feedback from industry and the public. Failure to comply with the new regulation can incur fines of $250,000 or one percent of total banking assets. 

The overall objective of the new NYDFS cybersecurity program is to adhere to several key requirements defined by the NIST Cybersecurity Framework.  

  • Identify all cybersecurity threats - internal and external
  • Employ a defence infrastructure to protect against the identified threats
  • Ensure a program, training, and policies are defined and implemented
  • Use a system to detect and promptly respond to  cybersecurity events
  • Disciplined action plans to recover from each cybersecurity event
  • Monitoring logs, access, multi-factor authentication, and encryption
  • Regular penetration testing frequency
  • Comply with regulatory reporting requirements (new stricter rules in the state of New York)
  • Third party risk management - ensure the entire service ecosystem is secure and adheres to the regulations.

Section 500.11(third-party service provider policy) is the next major milestone all financial services organizations must adhere to by March 1, 2019. Key elements of the third party policy are as follows:

  • Identification and risk assessment of third party service providers
  • Implementation and adoption of cybersecurity practices by the third party
  • Due diligence practices and assessment of their practices
  • Periodic assessments of third-party
  • Multi-factor authentication and access control management for all third party access
  • Encryption of data at rest and in transit
  • Event disclosure procedures and notification plans by the third party
  • Third party warranties
  • Requirement by third party and sub-contractors to adhere to covered entity policies

Financial services organizations will be required to set cybersecurity policies such as treatment of data, access to sensitive data, privileged credential management and obfuscation, and nationality and secret clearance access for third party service providers. Covered Entities will need to track how third parties service providers are adhering to these policies and prevent them from accessing critical systems if they fail to comply with the policies. The will need to implement deep audit, activity logging so that  they can track every individual within the third party service provider. In other words, financial institutions will need to implement a continuous compliance and governance practice.

Covered entities will require all third party providers to use multi-factor authentication to access the critical systems and limit access to only the systems they are contracted to access. They will also need to implement technology that encrypts all communication between the third party service provider and the covered entity and ensure all data at rest is fully encrypted. 

Learn how Tehama.io provides a platform for financials services organizations (covered entities) to define and implement cyber security policies that govern third-party service provider practices, provides continuous audit and compliance, encryption of data at rest and in transit, and multi-factor authentication.  

How are you responding to the NYDFS Cybersecurity Regulation 23 NYCRR 500? What policies, procedures, and governance have you established to comply with this new law?

More Posts

Subscribe Here!