The NYDFS Cybersecurity Regulation requires New York insurance companies, banks, and other regulated financial services institutions
The state of New York Department of Financial Services ("NYDFS") finalized its new cybersecurity rule ("23 NYCRR 500") which creates new information security requirements for a "Covered Entity" under NYDFS supervision. This new detailed regulation includes requirements to appoint a Chief Information Security Officer ("CISO"), to implement and maintain a written cybersecurity policy, and Governance of a cyber security program.
CyberSecOP provides a Virtual CISO security program, which helps our client to quickly comply with the NYDFS mandates, protecting our clients from fines from New York Department of Financial Services NYDFS.
We accomplish the above by assigning an executive level CISO to create a NYDFS strategic plan which aligned with the company budgets and goals.
Cyber attacks have being growing and New York State Department of Financial Services understand this is a growing problem, In response to the increasing cyber security threat posed to information and financial systems, the New York State Department of Financial Services (NYDFS) has passed the State of New York’s Cyber security Requirements for Financial Services Companies (23 NYCRR 500). This law took effect on March 1, 2017 in an effort to protect customer information, as well as the IT systems of regulated entities.
What is NYDFS 23 NYCRR 500?
23 NYCRR 500 is a cybersecurity regulation passed by the New York State Department of Financial Services (NYDFS) in early 2017. According to their website, the purpose of the NYDFS cybersecurity regulations is to “promote the protection of customer information as well as the information technology systems of related entities.”
The New York cybersecurity regulations are applicable to all companies under NYDFS supervision, including state-chartered banks, charitable foundations, credit unions, insurance companies, etc.
To follow the NYDFS cybersecurity regulations, companies are now required to “assess its specific risk profile and design a program that addresses its risks in a robust fashion.” Additionally, senior management must “be responsible for the organization’s cybersecurity program and file an annual certification confirming compliance with this regulations.”
Specific NYDFS 23 NYCRR 500 cybersecurity requirements include (but are not limited to):
NYDFS Risk assessments to inform the program’s design
NYDFS Identification and assessment of external cybersecurity risks
NYDFS Controls, policies, and procedures for mitigating those risks
NYDFS Fulfillment of regulatory reporting requirements
NYDFS Chief Information Security Officer (CISO)
Data Governance and Classification
NYDFS Asset Inventory and Device Management
NYDFS Physical Security and Environmental Controls
NYDFS Board Education
NYDFS High Level Requirement
Establish a cybersecurity program
Implement and maintain a written cybersecurity policy
Designate a CISO
Implement an audit trail
Utilize access privileges
Evaluate, assess, and test security of in-house and external technology applications
Conduct a periodic risk assessment
Ensure cybersecurity personnel are properly trained and qualified
Establish policies and procedures to protect nonpublic information held by third party service providers
Implement multi-factor or risk-based authentication
Ensure secure disposal on a periodic basis of any nonpublic information
Monitor and train all firm personnel
Encryption of nonpublic information
Establish a written incident response plan
Notify the superintendent regarding any cybersecurity event within 72 hours
For more link on NYDFS Cybersecurity Regulation Consulting Services