In March 2017, the New York State Department of Financial Services (DFS) introduced the 23 NYCRR 500, a set of regulations designed to protect the massive financial services industry from cyber threats. This comprehensive cybersecurity regulation mandates that financial services companies establish and maintain cybersecurity programs that safeguard the confidentiality, integrity, and availability of their information systems.
The 23 NYCRR 500 applies to all financial services companies operating in New York state, including banks, credit unions, insurance companies, and other financial service institutions. The regulation aims to ensure that financial service companies implement adequate cybersecurity measures to safeguard sensitive customer information from cyber threats. To achieve compliance, financial firms must institute comprehensive cybersecurity risk management strategies.
The only companies exempt from this regulation are those that meet the following criteria:
- Fewer than 10 employees
- Less than $10 million in year-end total assets
- Less than $5 million in gross revenue over the last three years
The Scope of 23 NYCRR 500
The 23 NYCRR 500 applies to all financial services companies regulated by the New York State Department of Financial Services (DFS). The regulation requires companies to establish and maintain a cybersecurity program that adequately protects their information systems from unauthorized access, disclosure, or misuse.
The regulation also requires companies to develop written policies and procedures that address the following areas:
- Information Security
- Data Governance and Classification
- Access Controls and Identity Management
- Cybersecurity Personnel and Intelligence
- Incident Response Planning and Implementation
- Vendor and Third-party Service Provider Management
- Annual Penetration Testing and Vulnerability Assessments
- Risk Assessment
How Does 23 NYCRR 500 Compare With Other Regulations?
The 23 NYCRR 500 regulation is a comprehensive, state-level cybersecurity requirement for financial institutions in New York state, with many of its stipulations overlapping with those set forth by the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF), the General Data Protection Regulation (GDPR) of the European Union (EU), and ISO 27001. By conforming to the standards imposed by this regulation, financial institutions in New York can reduce the privacy and security risks associated with handling sensitive data and defend against cyber threats to their digital infrastructure.
Provisions of 23 NYCRR 500
The 23 NYCRR 500 regulations require entities to have a cybersecurity program in place, a third-party service provider security policy, multi-factor authentication, encryption of nonpublic information, and an an incident response plan.
The 23 NYCRR 500 stipulates a cybersecurity program that contains administrative and technical safeguards to protect the confidentiality, integrity, and availability of information systems and nonpublic information. It should also include risk assessments, policies and procedures for the protection of information systems, monitoring and auditing of the system, and incident response plans.
Third-party Service Provider Security Policy
The third-party service provider security policy outlines the steps that must be taken to ensure service providers have appropriate security measures and processes in place to protect nonpublic information. It should also include requirements for third-party service providers to adequately protect information, identify and respond to security incidents, and notify the business of any incidents in a timely manner.
Multi-factor authentication is a way of verifying an individual’s identity by utilizing two or more independent verification elements. This could include passwords, PINs, biometrics, or other methods of authentication.
Encryption of Nonpublic Information
Nonpublic information must be encrypted throughout its life cycle, including when it is stored, transmitted, or accessed.
Incident Response Plan
The incident response plan outlines the steps to be taken if there is a breach of the system or unauthorized access of nonpublic information. It should include procedures for responding to and containing the incident, notifying the proper authorities, and taking corrective measures to prevent similar incidents in the future.
Key Requirements of 23 NYCRR 500
Just as the name suggests, the 23 NYCRR 500 consists of 23 requirements, which taken as whole, help organizations recognize potential threats and defend against them before an attack happens. Of the 23 requirements, the following are most noteworthy:
- Establish and maintain a cybersecurity program that is designed to protect the confidentiality, integrity, and availability of their information systems.
- Develop written policies and procedures that address the areas mentioned in the previous section.
- Appoint a Chief Information Security Officer (CISO) responsible for implementing and overseeing the cybersecurity program.
- Conduct regular risk assessments to identify and assess potential risks to the company’s information systems.
- Develop and implement an incident response plan to promptly respond to and mitigate cybersecurity events.
- Provide regular cybersecurity awareness training to all employees.
- Use encryption to protect sensitive data in transit and at rest.
Penalties for Noncompliance
The New York State Department of Financial Services (DFS) may impose civil money penalties up to a maximum of $5,000 for each violation and up to a maximum of $5,000 for each day the violator continues in noncompliance. Additionally, the DFS may issue cease and desist orders, revoke or suspend licenses and certificates, direct the accused to take corrective action, and/or conduct other investigations or proceedings as defined by law. Finally, any person who knowingly and willfully violates any provision of the 23 NYCRR 500 can be subject to criminal charges and potential imprisonment.
Best Practices for Compliance With 23 NYCRR 500
It is essential for organizations to understand the 23 NYCRR 500 regulations and implement best practices in order to remain compliant. The following best practices need to be accounted for:
Understand Your Company’s Legal Obligations
As a business, it is essential to understand all the regulatory requirements that apply to your business. Being aware of the legal requirements helps ensure compliance with the 23 NYCRR 500.
Implement a Comprehensive Cybersecurity Program
A comprehensive cybersecurity program is essential for protecting data, systems, and networks from cyber threats. This program should include policies, procedures, and technologies designed to protect and monitor against threats.
As part of the cybersecurity program, it is important to provide training to employees on the policies and procedures. This training should cover topics such as identifying phishing emails and best practices for securing data.
Establish a Risk Management Process
Establishing a cybersecurity risk management process that evaluates the potential risks to the organization, documents the risks, and identifies ways to mitigate those risks is essential for being compliant with the 23 NYCRR 500.
Monitor and Maintain Security Systems
Security systems such as firewalls and antivirus software should be monitored and maintained to ensure they are working properly and are up to date. Regular security scans should be conducted to identify any vulnerabilities.
Develop an Incident Response Plan
Having an incident response plan in place is essential for responding to security incidents. This plan should describe the processes for responding to and mitigating incidents.
Establish Third-party Vendor Management
Establishing and managing third-party vendor relationships are important for ensuring all vendors comply with the 23 NYCRR 500. It is essential to assess vendors to ensure their security measures meet the organization’s requirements.
Ensure Data Privacy With Kiteworks Private Content Network
One of the best approaches to help with 23 NYCRR 500 compliance is to use technology that supports data privacy. Encryption, data management and visibility, automated controls, and technical implementations of governance, risk, and compliance policies can go far in supporting such efforts. Businesses must understand both their legal obligations and their ethical posture when it comes to protecting the privacy of user data.
The Kiteworks Private Content Network unifies, tracks, controls, and secures sensitive content communication onto one platform. Centralized governance enables financial services organizations to demonstrate compliance with data privacy and cybersecurity regulations such as the 23 NYCRR 500, Federal Information Security Management Act (FISMA), Financial Industry Regulatory Authority (FINRA), FTC Safeguards Rule, Gramm-Leach-Bliley Act (GLBA), and others.
File and email data communications sent and shared through the Kiteworks Private Content Network are enveloped by the Kiteworks hardened virtual appliance, which employs an embedded network firewall and WAF and zero-trust least-privilege access and minimizes the attack surface. Learn how the Kiteworks Private Content Network enables financial organizations to demonstrate compliance with the 23 NYCRR 500 and various other data privacy and cybersecurity standards by scheduling a custom demo today.
Get email updates with our latest blogs news