The NY DFS Cyber security regulation (23 NYCRR 500) is a new set of regulations from the NY Department of Financial Services (NYDFS) that places new cyber security requirements on all covered financial institutions. The rules were release on February 16th, 2017 and after a couple rounds of feedback from the industry and the public. These regulations acknowledge the ever-growing threat posed to financial systems by cyber criminals, and are designed to ensure businesses effectively protect their customers' confidential information from cyber attacks.
Who Needs to Comply?
The NYDFS Cyber security Regulation applies to all covered entities meaning "any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or Financial Services Law."
This includes but is not limited to:
- State-chartered banks
- Licensed lenders
- Private bankers
- Foreign banks licensed to operate in New York
- Mortgage companies
- Insurance companies
- Service providers
There are limited exemptions to the NYDFS Cyber security Regulation.
Organizations that employ less than 10 people, produced less than $5 million in gross annual revenue from New York operations in each of the past three years, or held less than $10 million in year-end total assets are exempt from certain requirements of the Regulation.
When Do I Need to Comply?
On or before Feb. 15, 2018 - The first annual certification of compliance will be due to the New York Department of Financial Services. (Yes, this deadline has passed but we are here to help!)
What Do I Need to Do?
1. Conduct a Risk Assessment
The Risk Assessment must be carried out in accordance with written policies and procedures and must be documented. Such policies and procedures must include:
- Criteria for the evaluation and categorization of identified cyber security risks or threats facing your information system;
- Criteria for the assessment of the confidentiality, integrity, security and availability of your information systems and nonpublic information, including the adequacy of existing controls in the context of identified risks
- Requirements describing how identified risks will be mitigated or accepted based on the Risk Assessment and how the cyber security program will address the risk
2. Prepare A Cyber Security Program
You are required to maintain a cyber security program in your agency designed to protect the confidentiality, integrity and availability of your information systems. Your cyber security program will be based on the results of your risk assessment.
3. Prepare a Written Cyber Security Policy
You need to implement and maintain a written policy or policies in your agency setting forth your policies and procedures for the protection of your information systems and the Nonpublic Information stored on those information systems. You are also required to notify the superintendent of cyber security events as promptly as possible, but in no event later than 72 hours from a determination.
4. Final Steps
- Limit and periodically review access privileges to your information systems (who can log onto your computers).
- Provide notice to the superintendent of a cyber security event, if one occurs.
- Use the NYS Security Breach Reporting Form.
- You need a Third-Party Provider Security Policy as of March 2019.
Micro Solutions is here to help you become compliant and/or stay compliant. You can download our free gap assessment to see if your business is currently compliant.
If you just want to find out more about the NYCRR 500 regulations enter your information below and download our white paper.