The New York Department of Financial Services (NYDFS) implemented 23 NYCRR 500 in March of 2017 in an attempt to respond to an increasing risk of cyberattacks in financial institutions. Fast forward to 2022, and many organizations are still getting up to speed on the regulations -- which requires adherence by all financial institutions operating in New York.
The goal is to better protect financial institutions and their customers from financial disaster. With evolving cyberattacks, organizations must be ready to defend themselves. Continue reading to find out what financial organizations need to know about the NYDFS Regulations.
What is the NYDFS Regulation?
In March of 2017, the New York Department of Financial Services instituted The NYDFS Cybersecurity Regulation (23 NYCRR 500), a new set of regulations that place requirements on all covered financial institutions operating in the state of New York.
Covered financial organizations include:
- Insurance companies
- Banks
- Financial services firms
- Other regulated financial services
These organizations are required to regularly assess their cybersecurity risk profile and develop plans to proactively address those risks.
Who is Covered Under the NYDFS Regulation?
Organizations that are covered under the newest NYDFS regulations include:
- Financial services firms
- State-chartered banks
- Licensed lenders
- Private bankers
- Foreign bankers licensed to operate in New York
- Mortgage companies
- Insurance companies
These organizations are responsible for following NYDFS regulations. Exemptions are rare, but organizations with less than 10 employees or have produced less than $5 million in gross revenue every year for the past three years in New York qualify for exemptions from specific NYDFS regulations. A Notice of Exemption must be filed within 30 days of the determination. Instructions on how to file an exemption can be found here.
NYDFS Cybersecurity Regulation Requirements
The requirements are as followed:
- Employ defense infrastructure to protect against threats
- Identify all internal and external cybersecurity threats
- Respond to all detected cybersecurity events
- Work to recover from each cybersecurity event
- Fulfill regulatory reporting
- Detailed cybersecurity plan
- Assign a Chief Information Security Officer (CISO)
- Assess current risk profile
These regulations work to create a reporting system for cybersecurity events to ensure your financial organization is at maximum protection from cyberattacks.
Reporting Procedures
NYDFS Regulations require you to prepare an annual report that includes your organization’s cybersecurity policies and procedures, your organization’s security risks, and the effectiveness of your organization’s existing cybersecurity measures. The aim of these reports is to have a record of how your organization is addressing cybersecurity threats. Institutions are required to implement a cybersecurity program that not only continuously evaluates threats, but also develops proactive responses to threats. Proper reporting prevents your business from getting audited. Your reports should show that your organization is up to date with required cybersecurity practices.
Best Practices for Complying with NYDFS Regulations
Financial institutions face the challenge of compliance with the new NYDFS Cybersecurity regulations. Organizations should focus on:
- Meeting all requirements on time
- Paying attention to deadlines
- Appointing a qualified CISO to prepare reports and assess cyber risks.
First, businesses should assess if their organization is covered under the new NYDFS Regulations. Even if you think your business is exempt from certain requirements, you will still have to comply with other requirements. Even if you are not subject to the regulation, good cyber hygiene and a strong cybersecurity posture can help protect your valuable client information. Make sure you clearly define the requirements your organization needs to follow. Find the whole list of requirements and exemptions here.
Assemble a regulatory compliance team for your organization to ensure the proper compliance. All covered financial institutions need to have a Chief Information Security Officer. It is suggested to develop a team to focus on cybersecurity to have better compliance. Your team needs to fully understand your organization’s risk profile. Make sure to adhere to all deadlines and properly assess the requirements of your company.
Need more guidance? Sign up for this No-Cost Compact NIST Cyber Security Framework Assessment.
Blog courtesy of Kyber Security, a managed security service provider in Fairfield, Connecticut. Read more Kyber Security blogs here.
