NYDFS Compliance Services
NYDFS Cybersecurity Regulation requires New York insurance companies, banks, and other regulated financial services institutions
The state of New York Department of Financial Services ("NYDFS") finalized its new cybersecurity rule ("23 NYCRR 500"), which creates new information security requirements for a "Covered Entity" under NYDFS supervision. This new detailed regulation includes requirements to appoint a Chief Information Security Officer ("CISO"), to implement and maintain a written cybersecurity policy and the governance of a cyber security program.
CyberSecOp provides a Virtual CISO Security Program, which helps our clients quickly comply with the NYDFS mandates, protecting our clients from fines from the New York Department of Financial Services NYDFS.
We accomplish the above by assigning an executive-level CISO to create an NYDFS strategic plan aligned with your company’s budget and goals.
Cybersecurity for NYDFS Regulations
Cyber-attacks have been growing, and the New York State Department of Financial Services understands this is a growing problem; in response to the increasing cyber security threat posed to information and financial systems, the New York State Department of Financial Services (NYDFS) has passed the State of New York’s Cyber security Requirements for Financial Services Companies (23 NYCRR 500). This law took effect on March 1, 2017, to protect customer information and the IT systems of regulated entities.
What is NYDFS 23 NYCRR 500?
23 NYCRR 500 is a cybersecurity regulation passed by the New York State Department of Financial Services (NYDFS) in early 2017. According to their website, the purpose of the NYDFS cybersecurity regulations is to “promote the protection of customer information and the information technology systems of related entities.”
The New York cybersecurity regulations apply to all companies under NYDFS supervision, including state-chartered banks, charitable foundations, credit unions, insurance companies, etc.
To follow the NYDFS cybersecurity regulations, companies are now required to “assess its specific risk profile and design a program that addresses its risks in a robust fashion.” Additionally, senior management must “be responsible for the organization’s cybersecurity program and file an annual certification confirming compliance with these regulations.”
Specific NYDFS 23 NYCRR 500 cybersecurity requirements include (but are not limited to):
NYDFS Risk assessments to inform the program’s design
NYDFS Identification and evaluation of external cybersecurity risks
NYDFS Controls, policies, and procedures for mitigating those risks
NYDFS Fulfillment of regulatory reporting requirements
NYDFS Chief Information Security Officer (CISO)
Data Governance and Classification
NYDFS Asset Inventory and Device Management
NYDFS Physical Security and Environmental Controls
NYDFS Board Education
NYDFS High-Level Requirement
Establish a cybersecurity program
Implement and maintain a written cybersecurity policy
Designate a CISO
Implement an audit trail
Utilize access privileges
Evaluate, assess, and test the security of in-house and external technology applications
Conduct a periodic risk assessment
Ensure cybersecurity personnel are appropriately trained and qualified
Establish policies and procedures to protect nonpublic information held by third-party service providers
Implement multi-factor or risk-based authentication
Ensure secure disposal periodically of any nonpublic information
Monitor and train all firm personnel
Encryption of nonpublic information
Establish a written incident response plan
Notify the superintendent regarding any cybersecurity event within 72 hours
For more information on NYDFS Cybersecurity Regulation Consulting Services
