Understanding the NYDFS Cybersecurity Regulation (23 NYCRR 500) and Its Implications on Financial Institutions

December 27, 2022
Vintage toned Wall Street at sunset, Manhattan, New York City, USA.

If you are part of a bank, insurance company or mortgage loan servicer that operates in New York, having adequate knowledge of the NYDFS Cybersecurity Regulation is a must. It will help you assess your organization’s state of compliance, identify any deficiencies requiring immediate remediation and possibly save your organization millions in penalties.

What is the NYDFS Cybersecurity Regulation?

The NYDFS Cybersecurity Regulation (also known as the 23 NYCRR Part 500 or 23 NYCRR 500) ensures businesses effectively protect their customers’ confidential information from cyberattacks. The rules were released on February 16, 2017 by the NY Department of Financial Services (NYDFS).

The NYDFS, as a regulatory body, makes it mandatory for businesses that are part of the financial system to conduct regular security risk assessments, audit trails of asset use, build defensive infrastructures, maintain policies and procedures for cybersecurity, and create an incident response plan.

Why was the NYDFS Cybersecurity Regulation established?

The risk posed to financial systems by cybercriminals is on the rise, and to address this growing threat, the NY Department of Financial Services (NYDFS) implemented the NYDFS Cybersecurity Regulation. It aims to mitigate cyberattacks by encouraging organizations to build their risk profiles and design a cybersecurity program that addresses risks in a robust fashion.

Who is subject to the NYDFS Cybersecurity Regulation?

The 23 NYCRR Part 500 applies to all New York entities operating under or required to operate under a license, charter, registration, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.

The covered entities include:

  • Private bankers
  • Licensed lenders
  • State-chartered banks
  • Mortgage companies
  • Insurance companies
  • Service providers
  • Foreign banks licensed to operate in New York

Who is exempt from the NYDFS Cybersecurity Regulation?

The 23 NYCRR 500 offers limited exemptions to organizations:

  • With fewer than 10 employees.
  • That have less than $5 million in gross annual revenue from New York operations for three consecutive years.
  • That hold less than $10 million in year-end total assets.

What are the NYDFS Cybersecurity Regulation requirements?

The regulation requires covered organizations and institutions to protect customer information as well as their information technology systems. To do so, each entity must assess its specific risk profile and build a strong cybersecurity program that addresses its risks. Entities must comply with the following sections of the regulation:

  • s 500.1 Definitions: This regulation defines covered entities, cybersecurity events and other relevant aspects, such as multifactor authentication, penetration testing and risk assessment.
  • s 500.2 Cybersecurity program: This regulation makes it mandatory for the covered organizations to maintain a security program to protect the confidentiality, integrity and availability of the covered entity’s information systems.
  • s 500.3 Cybersecurity policy: This regulation requires covered entities to implement and maintain a written policy or policies based on the covered entity’s risk assessment covering 15 key areas part of the entity’s operations.
  • s 500.4 Chief information security officer: The covered entities are expected to designate a qualified individual responsible for overseeing and implementing the cybersecurity program and enforcing its cybersecurity policy.
  • s 500.5 Penetration testing and vulnerability assessments: The regulation requires entities to undertake continuous monitoring or periodic penetration testing and vulnerability assessments.
  • s 500.6 Audit trail: The entity is expected to carry out regular audit trails to detect and respond to cybersecurity events that can harm its normal operations.             
  • s 500.7 Access privilegesThis regulation requires organizations to limit and periodically reassess user access privileges to sensitive data.
  • s 500.8 Application security: The covered entity must have written procedures and standards for evaluating, assessing or testing the security of externally developed applications utilized by the covered entity within the context of the Covered Entity’s technology environment.
  • s 500.9 Risk assessment: The covered entities must conduct regular risk assessments of their respective information systems to build and develop their cybersecurity program.
  • s 500.10 Cybersecurity personnel and intelligence: Besides a CISO, a covered entity must also have qualified cybersecurity personnel, an affiliate or a third-party service provider to manage its cybersecurity. The section also calls for regular training on evolving risks.      
  • s 500.11 Third-party service provider security policy: A covered entity must implement written policies and guidelines for the security of information systems and non-public information that can be assessed by third-party service providers.               
  • s 500.12 Multifactor authentication: All covered organizations, institutions and services must include multifactor authentication or risk-based authentication to protect against unauthorized access to ensure the security of privileged information.         
  • s 500.13 Limitations on data retention: The covered entities must have procedures in place to securely dispose of non-public information that is no longer necessary for business operations or other legitimate business purposes.
  • s 500.14 Training and monitoringAs part of its cybersecurity program, a covered entity must have policies and controls in place to monitor the activity of authorized users and to detect unauthorized access. They are also expected to provide regular cybersecurity awareness training to the employees.
  • s 500.15 Encryption of non-public information: A covered entity must implement controls, including encryption, to protect non-public information held or transmitted by the covered entity, both in transit over external networks and at rest.
  • s 500.16 Incident response plan: A covered entity must have a written incident response plan that lays out the response and recovery plan following a cybersecurity event.
  • s 500.17 Notices to superintendent: All covered entities must notify the superintendent within 72 hours following a cybersecurity event. An annual report must also be submitted detailing all the compliance initiatives of the covered entities.                
  • s 500.18 Confidentiality: The confidentiality clause in this section offers covered entities exemptions from disclosure under the Banking Law, Financial Services Law, Insurance Law or any other applicable state or federal law.
  • s 500.19 Exemptions: This section offers limited exemptions when a covered entity has fewer than 10 employees and less than $5,000,000 in gross annual revenue in the last three fiscal years from NY business or has less than $10,000,000 in year-end total assets.             
  • s 500.20 Enforcement: This regulation will be implemented by the superintendent in accordance with, but not limited to, the applicable laws.

More detailed information on the requirements above can be found here.

Notable exemptions

Exemption

Exempt from

 

 

  • 500.19(c) – You are entitled to this exemption if you are a covered entity that does not utilize an Information System and that does not and is not required to, directly or indirectly control, own, access, generate, receive or possess non-public Information. This is a limited exemption and entities must still complete an annual risk assessment to confirm that they continue to be entitled to this exemption and meet some but not all the regulatory requirements. This includes submitting an annual Certification of Compliance.

 

500.02- Cybersecurity Program

500.03- Cybersecurity Policy

500.04- Chief Information Security Officer

500.05- Penetration Testing and Vulnerability Assessments

500.06- Audit Trail

500.07- Access Privileges

500.08- Application Security

500.10- Cybersecurity Personnel and Intelligence

500.12- Multifactor Authentication

500.14- Training and Monitoring

500.15- Encryption of Non-public Information

500.16- Incident Response Plan

 

  • 500.19(d) – A captive insurance company that does not control non-public information other than information relating to its corporate parent company. This is a limited exemption and entities must still complete an annual risk assessment to continue to be entitled to this exemption and meet some but not all the regulatory requirements. This includes submitting an annual Certification of Compliance.

 

What is the penalty for non-compliance with the NYDFS Cybersecurity Regulation?

According to NYDS under section 408, “each instance of non-public information encompassed within the charges constitutes a separate violation carrying up to $1,000 in penalties per violation.”

Here are examples of a few notable cases that show how serious the NYDS is about covered entities’ compliance:

  • Residential Mortgage Services, March 2021: The New York Department of Financial Services fined Residential Mortgage Services, Inc. (RMS), an NYDFS-licensed mortgage banker and mortgage loan servicer, $1,500,000 for violations of the Cybersecurity Regulation. The order observed that RMS failed to adequately respond to a data security breach. The organization was also found guilty of failing to conduct a comprehensive cybersecurity risk assessment.
  • National Securities Corporation, April 2021: The DFS Investigation found that the National Securities Corporation had failed to implement multifactor authentication and was the target of four data breach incidents that exposed customer data. National Securities was fined $3 million for these incidents.
  • First Unum Life Insurance Company of America & Paul Reve Life Insurance Company, May 2021: The Superintendent of Financial Services imposed a penalty of $1.8 million on First Unum Life Insurance Company of America and Paul Revere Life Insurance Company for exposure of personal data belonging to consumers. The DFS found that the companies had failed to implement multifactor authentication and were the target of two phishing attacks.
  • Carnival Corporation, June 2022: The DFS investigation discovered that Carnival Corporation and its subsidiaries had failed to implement basic cybersecurity protections that made them an easy target for a data breach that exposed customer data. The Carnival Corporation and its subsidiaries were fined a $5 million penalty.
  • Robinhood Crypto LLC, August 2022The Superintendent of Financial Services ordered Robinhood Crypto, LLC (RHC) to pay $30 million in penalties for significant failures in the areas of bank secrecy act/anti-money laundering obligations and cybersecurity that resulted in violations of the Department’s Virtual Currency Regulation (23 NYCRR Part 200), Money Transmitter Regulation (3 NYCRR Part 417), Transaction Monitoring Regulation (23 NYCRR Part 504), and Cybersecurity Regulation (23 NYCRR Part 500).
  • EyeMed Vision Care LLC, October 2022: A DFS investigation found that EyeMed Vision Care LLC had failed to conduct periodic risk assessments, implement multifactor authentication and assess controls, resulting in a breach that exposed the personal health data of thousands of consumers. EyeMed was subsequently ordered to pay $4.5 million in penalties.

Meet the NYDFS Cybersecurity Regulation requirements with Compliance Manager GRC

Compliance Manager GRC allows you to use all your current IT security tools, software and systems to meet the requirements of the NYDFS Cybersecurity Regulation while you maintain compliance with all your other IT requirements, regardless of source.

The built-in Standard Management Template allows you to quickly determine if you can “check the boxes” for every requirement and identifies the gaps, automatically preparing all of the documents you need to comply with the regulation. Here are a few of the value-added features you get:

  • Rapid Baseline Assessments – Quickly identify gaps required for certification
  • Technical Risk Assessments – Full risk assessment that meets the NYDSF requirements
  • Auditor’s Checklist – Easy access for NYDFS auditors to quickly satisfy their reporting requirements
  • Employee Awareness Training Portal – Tracking and reporting required by the NYDFS
  • Policies & Procedures Manual – Required documentation of everything you need to do
  • Vendor Risk Management Portal – Required for third-party service provider tracking and documentation
  • Automated Documentation & Storage – Meets the NYDFS audit trail requirements for security purposes
  • VulScan Integration – Satisfies the need for regular scanning and eliminates the need for pen testing

Compliance Manager GRC generates all of the documentation you need to satisfy any audit. Request a demo.