Whether you’re a small financial service provider or a major institution, if you’re doing business in the state of New York, you need to meet New York Department of Financial Services (NYDFS) regulations. Formerly known as 23 NYCRR 500, these standards ensure the security and resilience of technology-driven financial systems. Understanding them is crucial for safeguarding your operations and, most importantly, your customers.

Here’s a guide to NYDFS cybersecurity regulations, along with key compliance elements and practical steps to help you turn compliance into a strategic advantage.

What Is the NYDFS Cybersecurity Regulation?

The NYDFS Cybersecurity Regulation imposes requirements on all financial institutions operating under NYDFS licensure, registration, or charter. These requirements apply to organizations based in New York and those conducting financial business within the state, as well as third-party service providers who provide services to entities operating under NYDFS requirements.

On March 1, 2017, the NYDFS first established cybersecurity requirements for financial services companies. The regulation, commonly called “23 NYCRR Part 500” or “the Cybersecurity Regulation,” requires that affected organizations implement measures to ensure their systems and private data remain secure, unaltered, and accessible. An amendment on November 1, 2023 updated the standards to address more modern threats.

Failure to comply with these regulations can lead to hefty penalties. For example, in May 2019, First American Title Insurance Company faced a significant cybersecurity breach due to insufficient access controls in their EaglePro application, which exposed sensitive consumer data. This breach resulted in a $1 million penalty from NYDFS and mandated remedial measures to improve data security. This example shows the importance of adhering to NYDFS regulations to avoid costly fines, reputational damage, and compromised customer trust.

What Is the Goal of NYDFS Regulations? 

The NYCRR Part 500 aims to address the increasing complexity of cyberthreats and the risks that U.S. financial institutions encounter. The primary objectives are to protect sensitive customer data and ensure the integrity of technology systems.

As a service provider looking to meet the regulations, you must assess your cybersecurity risks and implement a comprehensive risk management plan. Incorporate the NYDFS’s minimum standards for data protection, which include:

• Implementing risk-based standards for IT systems, such as encryption, access controls, and penetration testing
• Funding cybersecurity programs and executing them with skilled professionals
• Establishing incident response plans that preserve data for investigations and ensure timely notifications to NYDFS for significant incidents
• Developing remediation plans for identified system weaknesses and certifying compliance annually

Who Needs to Comply With the NYDFS Cybersecurity Regulation?

The NYDFS Cybersecurity Regulation applies to any entity conducting business in New York that operates under a license, accreditation, or similar authorization under New York’s Banking Law, Insurance Law, or Financial Services Law. This includes: 

• Large and small state-chartered banks
• Foreign banks licensed to operate in New York
• Insurance companies
• New York licensed lenders
• Mortgage companies
• Health maintenance organizations (HMOs)
• Continuing care retirement communities (CCRCs)
• Not-for-profit mortgage brokers

Additionally, you may need out-of-state suppliers or third-party service providers to comply with certain parts of the regulation, especially if they have access to sensitive information. 

Exemptions from NYDFS Cybersecurity Regulation

Some smaller organizations may qualify for exemptions under specific circumstances. You may be exempt if you meet one or more of the following criteria:

• You have fewer than 10 employees, including independent contractors.
• Over the past three years, you’ve earned less than $5 million in gross annual revenue from New York operations.
• You have less than $10 million in year-end total assets.

Even if your organization qualifies for an exemption, you may still need to comply with core cybersecurity requirements to meet the NYFDS basic protection standards. These core requirements often include:

• Establishing a cybersecurity program that effectively identifies and mitigates risks
• Conducting regular risk assessments to evaluate vulnerabilities and exposure
• Implementing access controls to manage who can access sensitive data
• Maintaining an audit trail to track cybersecurity events and activities
• Utilizing multi-factor authentication (MFA) to secure access to critical systems and sensitive information

NYDFS Cybersecurity Regulation Requirements

If you do need to meet 23 NYCRR Part 500, here’s what to do to ensure your readiness and compliance, according to the NYDFS:

1. Develop a Comprehensive Cybersecurity Policy

Create and maintain a cybersecurity policy outlining how you plan to protect your information systems and nonpublic information. Include guidelines for data governance, access controls, and incident response, and make sure senior management reviews and approves the policy.

2. Perform Periodic Risk Assessments

Conduct regular risk assessments to identify vulnerabilities in your information systems and understand potential threats. The landscape changes often, so regularly update these assessments to reflect any updates to operations, technology, or risks. The results give you the information needed to place appropriate security measures.

3. Implement Technical Security Controls

Implement technical security controls, like MFA for accessing sensitive systems, encryption to protect nonpublic information in transit and at rest, and continuous network monitoring, to keep systems safe. Annual penetration testing and regular vulnerability assessments also help you proactively identify and address security weaknesses.

4. Appoint a Chief Information Security Officer (CISO)

Designate a CISO responsible for managing and overseeing your cybersecurity program. You can either fulfill this role internally or outsource it to a third-party provider. 

The CISO must report annually to your board of directors or equivalent governing body regarding the status of the entity’s cybersecurity program. Reports should include any significant incidents for maximum visibility.

5. Develop an Incident Response Plan

Develop an incident response plan to respond effectively to cybersecurity issues. This plan should detail how to mitigate harm, preserve data, and notify the NYDFS of significant events. Additionally, you should periodically review and update the plan based on past incidents to enhance its response capabilities continuously.

6. Train Your Cybersecurity Personnel

All personnel involved in cybersecurity management should receive adequate training. Conduct regular training sessions to inform teams about the latest cybersecurity threats, like phishing and social engineering attacks, and give updates on the best practices for defending against these risks. Well-trained personnel are your first line of defense in maintaining cybersecurity resilience.

Legit Security: Your Ally in Compliance 

Aligning with New York cybersecurity regulations can be challenging, but Legit Security’s services are here to help. 

Legit Security provides tools and expertise to help you develop and implement a robust cybersecurity program, ensuring that your organization meets all regulatory requirements efficiently. In addition, Legit helps you map security guardrails to specific guidelines, like NYDFS. You’ll then benefit from real-time monitoring and alerts on compliance violation. 

Schedule a demo to learn more.

*** This is a Security Bloggers Network syndicated blog from Legit Security Blog authored by Legit Security. Read the original post at: https://www.legitsecurity.com/blog/understanding-nydfs-cybersecurity-regulation