How to meet DFS 23 NYCrr 500 Cyber Security Regulation
—What is the DFS Cyber Security Regulation?

The NY DFS Cyber security Regulation (23 NYCRR 500) is a new set of regulations from the NY Department of Financial Services (NYDFS) that places new cyber security requirements on all covered financial institutions. The rules were released on February 16th, 2017 after two rounds of feedback from industry and the public. These regulations acknowledge the ever-growing threat posed to financial systems by cyber criminals, and are designed to ensure businesses effectively protect their customers’ confidential information from cyber attacks. This includes conducting regular security risk assessments, keeping audit trails of asset use, providing defensive infrastructures, maintaining policies and procedures for cyber security, and creating an incident response plan.

Violations can incur fines of $250,000 or one percent of total banking assests.
—Who Needs to Comply?

The NYDFS Cyber security Regulation applies to all covered entities meaning “any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the financial Services Law.”

This Includes but is not limited to:

State-chartered banks
Licensed lenders
Private bankers
Foreign banks licensed to operate in New York
Mortgage companies
Insurance companies
Service providers

There are limited exemptions to the NYDFS Cyber security Regulation. Organizations that employ less than 10 people, produced less than $5 million in gross annual revenue from New York operations in each of the past three years, or hold less than $10 million in year-end total assets are exempt from certain requirements of the Regulation.

—01 When Do I need to Comply?

The effective date for the new regulation was March 1, 2017. You have 180 days, or until Aug. 28, 2017 to become compliant. Additionally, there are phase-in transition period for the different provisions. So the earliest that you must comply with any part of the regulation is Aug. 28, 2017.

On or before Sept. 27th, 2017 (has been extended to Oct. 30, 2017) -initial 20-day perior for filing Notices of Exemption.

On or before Feb. 15, 2018-The first annual certification of compliance will be due to the New York State Department of Financial Services. 

—02 What Do I Need to Do?

First - Send in your certifications. Send the following two certification forms to NYDFS:
1. File your LIMITED EXEMPTION FORM by Sept. 27, 2017 (has been extended to Oct. 30, 2017), via the NYDFS secure portal: You will first be prompted to Create an Account at the bottom of the screen on the secure portal. This account and portal will be used for future regulatory filings relating to cyber security, including notices of cyber security events and certifications of compliance.

Then follow the following steps:

1. Enter your name and email address (start with your agency name, although you will need to do this for all of your licenses (individual and business
entity). Don’t forget the Text Verification on the right-hand side of the form.
2. Hit Submit, and a temporary Password will be emailed to you.
3. Open your email and log on with that password. This will prompt you to Change your Password.
4. Click on the link: “If you are looking to submit your cybersecurity regulations, please click below:

5. You will see three boxes. Choose the box to the RIGHT, titled “Submit”
Cybersecurity Notice of Exemption.”

6. Enter your Entity I.D. (license number) or name. Use the name of your agency, the name of your individual license and your New York state license number. Choose the appropriate license and select it on the drop-down menu.
7. Click Next.
8. You will have an opportunity to choose the reasons for your exemption:
a. For agencies, you should select all that apply:
i. Section 500.19(a)(1—less than 10 employees
ii. Section 500.19(a)(2)—less than $5 million in revenue
iii. Section 500.19(a)(3)—less than $10 million in assets
b. For individual licenses, you should choose i. Section 500.19(b —“employee, agent, representative or designee is covered by the cyber security program of the Covered Entity.”
9. Hit Next.
10. Enter your Contact information, click the box and hit Submit.
11. You will then get an Acknowledgement. Print this acknowledgement and put it in your cyber security files.

Speak to a DFS 23 NYCRR 500 expert today

—03 Send Forms

After you’ve completed your compliance documents below, send in your CERTIFICATION OF COMPLIANCE FORM by Feb. 15, 2018, via the NYDFS secure portal:  A Covered Entity may not submit a certification under 23 NYCRR 500.17(b) unless the Covered Entity is in compliance with all applicable requirements of Part 500 at the time of certification. Form is available on Page 13. The board of directors or a senior officer(s) of the Covered Entity certifies:
1. the board of directors (or name of senior officer(s) has reviewed documents, reports, certifications and opinions of such officers, employees, representatives, outside vendors and other individuals or entities as necessary; and
2. to the best of the (board of directors) or (name of senior officer(s)) knowledge, the Cyber security Program of (name of Covered Entity) as of  (date of the board resolution or senior officer(s) compliance finding) for the year ended (year for which board resolution or compliance finding is provided) complies with Part 23 NYCRR 500. Signed by the chairperson of the board of directors or senior officer(s)

Cyber Security Assessment

—04 Prepare your compliance documents

Fill in the following paperwork and keep copies for your files (DO NOT send to NYDFS):
1. CONDUCT A RISK ASSESSMENT of your information system (computers):
The Risk Assessment must be carried out in accordance with written policies and procedures and must be documented. Such policies and procedures must include:
1. criteria for the evaluation and categorization of identified cyber security risks or threats facing your information system;
2. criteria for the assessment of the confidentiality, integrity, security and availability of your information systems and nonpublic information, including the adequacy of existing controls in the context of identified risks; and
3. requirements describing how identified risks will be mitigated or accepted based on the Risk Assessment and how the cyber security program will address the risks.

View a Risk Mitigation Assessment Template Checklist

—05 Prepare A Cyber security Program

You are required to maintain a cyber security program in your agency designed to protect the confidentiality, integrity and availability of your information systems. Your cyber security program will be based on the results of your risk assessment (above) and designed to perform the following core cyber security functions:
1. identify and assess internal and external cyber security risks that may threaten the security or integrity of nonpublic information stored on your information systems (use checklist above);
2. Use defensive infrastructure and the implementation of policies and procedures to protect your information systems, and the nonpublic information stored on those
information systems, from unauthorized access, use or other malicious acts (antivirus and firewall, secure computers at night, regularly change passwords, restrict access to data and systems)

3. Detect cyber security events (antivirus and firewall);
4. respond to identified or detected cyber security events to mitigate any negative effects (antivirus and firewall);

5. cover from cyber security events and restore normal operations and services (antivirus and firewall); and
6. fulfill applicable regulatory reporting obligations (use NYDFS secure portal to report cyber security events).

—06 Prepare a Written Cyber security Policy

You need to implement and maintain a written policy or policies in your agency setting forth your policies and procedures for the protection of your information systems and the Nonpublic Information stored on those information systems. You are also required to notify the superintendent of cyber security events as promptly as possible, but in no event later than 72 hours from a determination. See:

New York State Department of Financial Services
One State St.
New York, NY 10004-1511

And send them with a proof of mailing and keep copies in your files. Like the cyber security program, your cyber security policy will be based on your risk assessment and needs to address the following areas:

I. information security (antivirus and firewall, passwords);
II. data governance and classification (what types of data do you store and where);
III. asset inventory and device management (physical count of computers);
IV. access controls and identity management (passwords and who has access);
V. business continuity and disaster-recovery planning and resources (backups);
VI. systems operations and availability concerns (procedures if you are hacked);
VII. systems and network security (antivirus and firewall);

VIII. systems and network monitoring (antivirus and firewall);
IX. systems and application development and quality assurance (antivirus and firewall);
X. physical security and environmental controls (locked doors, logging off at night);
XI. customer data privacy (require passwords);
XII. vendor and third-party service provider management (assurances that your partners
are secure);
XIII. risk assessment (above); and
XIV. incident response (above).

Get a free Third Party Security Vendor Report

—06 Final Steps

1. Limit and periodically review access privileges to your information system (who can log onto
your computers).
2. Provide notice to the superintendent of a cyber security event, if one occurs (see above).
Use this NYS Security Breach Reporting Form.
Eventually, you will need a THIRD-PARTY PROVIDER SECURITY POLICY, but not until March 2019.
23 NYCRR 500.11 generally requires a Covered Entity to develop and implement written policies and procedures designed to ensure the security of the Covered Entity’s Information Systems and Nonpublic Information that are accessible to, or held by, Third- Party Service Providers.

Where Can I Get Help With This?

MDS offers access to a library of information and security experts on this regulation To receive help with becoming Compliant for 23 NYCRR 500, please drop us a line and tell us a little about what you will be needing assistance with on our Contact Us form.

For more information around the NYS Department of Financial services regulation. You may also refer to the following page:

Meet your Security and Regulatory Complance Needs