The NYDFS Cybersecurity Regulation, 23 NYCRR 500, is a new set of regulations from the NY Department of Financial Services (or NY DFS) mandating new cyber security requirements on all covered financial institutions that have entities in the state of New York. New York 23 NYCRR part 500 compliance can be a daunting lift, especially for those who haven't started to remediate, and even for those who have secured compliance but aren't sure how to continuously prove compliance easily without taking time, effort, and resources away from existing projects.
Governor Cuomo announced that their cyber regulation was the "first in the nation" to protect both consumers and financial institutions. "The regulation requires banks, insurance companies, and other financial services institutions regulated by the State Department of Financial Services" to put into place a continuously manintained cybersecurity program. The program is supposed to be designed to protect consumers that each financial institution serves, and to secure the New York State’s financial services industry this year and beyond as cyber vulnerabilities evolve. This regulation includes everything from appointing a Chief Information Security Officer to implementing two or multi-factor authentication (2FA or MFA). In short, the reg is quite extensive.
According to the New York DFS, "This regulation requires each company to assess its specific risk profile and design a program that addresses its risks in a robust fashion. Senior management must take this issue seriously and be responsible for the organization’s cybersecurity program and file an annual certification confirming compliance with these regulations. A regulated entity’s cybersecurity program must ensure the safety and soundness of the institution and protect its customers."
The New York State Department of Financial Services noted that it's been "closely monitoring" the cybersecurity threats posed to information and financial systems by cyber terrorists and the growing threat of cyber crime. Cybercriminals often aim to exploit the information of financial entities in order to use for illicit purposes. The DFS regulated entities are by no exception exempt from being the target of these attempted hacks and breaches. The financial services industry as a whole is a target, and the DFS noted as well that it "appreciates that many firms have proactively increased their cybersecurity programs with great success." This success along with the threats posed has lead the DFS to mandate the 23 NYCRR part 500 compliance for financial institutions.
Given the seriousness of the issue and the risk to all regulated entities, certain regulatory minimum standards are warranted, while not being overly prescriptive so that cybersecurity programs can match the relevant risks and keep pace with technological advances. Accordingly, this regulation is designed to promote the protection of customer information as well as the information technology systems of regulated entities. This regulation requires each company to assess its specific risk profile and design a program that addresses its risks in a robust fashion. Senior management must take this issue seriously and be responsible for the organization’s cybersecurity program and file an annual certification confirming compliance with these regulations. A regulated entity’s cybersecurity program must ensure the safety and soundness of the institution and protect its customers.
It is critical for all regulated institutions that have not yet done so to move swiftly and urgently to adopt a cybersecurity program and for all regulated entities to be subject to minimum standards with respect to their programs. The number of cyber events has been steadily increasing and estimates of potential risk to our financial services industry are stark. Adoption of the program outlined in these regulations is a priority for New York State.
In Translation... if you are a New York Financial Services entity and wish to continue your operation in the state of NY, it's important that you ensure the safety and soundness of your organization in accordance with the Department of Financial Services cyber security regulation as soon as possible or, as the DFS says, "swiftly and urgently".
More background on the New York Department of Financial Services cyber requirements: