How to meet DFS 23 NYCrr 500 Cyber Security Regulation
—What is the DFS Cyber Security Regulation?
The NY DFS Cybersecurity Regulation (23 NYCRR 500) is a new set of regulations from the NY Department of Financial Services (NYDFS) that places new cybersecurity requirements on all covered financial institutions. The rules were released on February 16th, 2017 after two rounds of feedback from industry and the public. These regulations acknowledge the ever-growing threat posed to financial systems by cyber criminals, and are designed to ensure businesses effectively protect their customers’ confidential information from cyber attacks. This includes conducting regular security risk assessments, keeping audit trails of asset use, providing defensive infrastructures, maintaining policies and procedures for cyber security, and creating an incident response plan.
Violations can incur fines of $250,000 or one percent of total banking assests.
—Who Needs to Comply?
The NYDFS Cybersecurity Regulation applies to all Covered entities meaning “any person operationg under or required to operate under a license, registration, charter, certificate, permit, accrediation or similar auotheration uner the Banking Law, the Insurance Law or the financial Services Law.”
This Includes but is not limited to:
Foreign banks licensed to operate in New York
There are limited exemptions to the NYDFS Cybersecurity Regulation. Organizations that employ less than 10 people, produced less than $5 million in gross annual revenue from New York operations in each of the past three years, or hold less than $10 million in year-end total assets are exempt from certain requirements of the Regulation.
—01 When Do I need to Comply?
The effictive date for the new regulation was March 1, 2017. You have 180 days, or until Aug. 28, 2017 to become compliant. Additionally, there are phase-in transition period for the different provisions. So the erarliest that you must comply with any part of the regulation is Aug. 28, 2017.
On or before sept. 27th, 2017 (has been extended to Oct. 30, 2017) -inital 20-day perior for filing Notices of Exemption.
On or before Feb. 15, 2018-The first annual cerification of compliance will be due to the New York State Department of Financial Services.
—02 What Do I Need to Do?
First - Send in your certifications. Send the following two certification forms to NYDFS:
1. File your LIMITED EXEMPTION FORM by Sept. 27, 2017 (has been extended to Oct. 30, 2017), via the NYDFS secure portal: http://on.ny.gov/2qTdBPR You will first be prompted to Create an Account at the bottom of the screen on the secure portal. This account and portal will be used for future regulatory filings relating to cybersecurity, including notices of cybersecurity events and certifications of compliance.
Then follow the following steps:
1. Enter your name and email address (start with your agency name, although you will need to do this for all of your licenses (individual and business
entity). Don’t forget the Text Verification on the right-hand side of the form.
2. Hit Submit, and a temporary Password will be emailed to you.
3. Open your email and log on with that password. This will prompt you to Change your Password.
4. Click on the link: “If you are looking to submit your cybersecurity regulations, please click below:
5. You will see three boxes. Choose the box to the RIGHT, titled “Submit”
Cybersecurity Notice of Exemption.”
6. Enter your Entity I.D. (license number) or name. Use the name of your agency, the name of your individual license and your New York state license number. Choose the appropriate license and select it on the drop-down menu.
7. Click Next.
8. You will have an opportunity to choose the reasons for your exemption:
a. For agencies, you should select all that apply:
i. Section 500.19(a)(1—less than 10 employees
ii. Section 500.19(a)(2)—less than $5 million in revenue
iii. Section 500.19(a)(3)—less than $10 million in assets
b. For individual licenses, you should choose i. Section 500.19(b —“employee, agent, representative or designee is covered by the cybersecurity program of the Covered Entity.”
9. Hit Next.
10. Enter your Contact information, click the box and hit Submit.
11. You will then get an Acknowledgement. Print this acknowledgement and put it in your cybersecurity files.
Speak to a DFS 23 NYCRR 500 expert today
—03 Send Forms
After you’ve completed your compliance documents below, send in your CERTIFICATION OF COMPLIANCE FORM by Feb. 15, 2018, via the NYDFS secure portal: http://on.ny.gov/2qTdBPR A Covered Entity may not submit a certification under 23 NYCRR 500.17(b) unless the Covered Entity is in compliance with all applicable requirements of Part 500 at the time of certification. Form is available on Page 13. The board of directors or a senior officer(s) of the Covered Entity certifies:
1. the board of directors (or name of senior officer(s) has reviewed documents, reports, certifications and opinions of such officers, employees, representatives, outside vendors and other individuals or entities as necessary; and
2. to the best of the (board of directors) or (name of senior officer(s)) knowledge, the Cybersecurity Program of (name of Covered Entity) as of (date of the board resolution or senior officer(s) compliance finding) for the year ended (year for which board resolution or compliance finding is provided) complies with Part 23 NYCRR 500. Signed by the chairperson of the board of directors or senior officer(s)
Cyber Security Assessment
—04 Prepare your compliance documents
Fill in the following paperwork and keep copies for your files (DO NOT send to NYDFS):
1. CONDUCT A RISK ASSESSMENT of your information system (computers):
The Risk Assessment must be carried out in accordance with written policies and procedures and must be documented. Such policies and procedures must include:
1. criteria for the evaluation and categorization of identified cybersecurity risks or threats facing your information system;
2. criteria for the assessment of the confidentiality, integrity, security and availability of your information systems and nonpublic information, including the adequacy of existing controls in the context of identified risks; and
3. requirements describing how identified risks will be mitigated or accepted based on the Risk Assessment and how the cybersecurity program will address the risks.
View a Risk Mitigation Assessment Template Checklist
—05 Prepare A Cybersecurity Program
You are required to maintain a cybersecurity program in your agency designed to protect the confidentiality, integrity and availability of your information systems. Your cybersecurity program will be based on the results of your risk assessment (above) and designed to perform the following core cybersecurity functions:
1. identify and assess internal and external cybersecurity risks that may threaten the security or integrity of nonpublic information stored on your information systems (use checklist above);
2. Use defensive infrastructure and the implementation of policies and procedures to protect your information systems, and the nonpublic information stored on those
information systems, from unauthorized access, use or other malicious acts (antivirus and firewall, secure computers at night, regularly change passwords, restrict access to data and systems)
3. Detect cybersecurity events (antivirus and firewall);
4. respond to identified or detected cybersecurity events to mitigate any negative effects (antivirus and firewall);
5. cover from cybersecurity events and restore normal operations and services (antivirus and firewall); and
6. fulfill applicable regulatory reporting obligations (use NYDFS secure portal to report cybersecurity events).
—06 Prepare a Written Cybersecurity Policy
You need to implement and maintain a written policy or policies in your agency setting forth your policies and procedures for the protection of your information systems and the Nonpublic Information stored on those information systems. You are also required to notify the superintendent of cybersecurity events as promptly as possible, but in no event later than 72 hours from a determination that a reportable See:
New York State Department of Financial Services
One State St.
New York, NY 10004-1511
And send them with a proof of mailing and keep copies in your files. Like the cybersecurity program, your cybersecurity policy will be based on your risk assessment and needs to address the following areas:
I. information security (antivirus and firewall, passwords);
II. data governance and classification (what types of data do you store and where);
III. asset inventory and device management (physical count of computers);
IV. access controls and identity management (passwords and who has access);
V. business continuity and disaster-recovery planning and resources (backups);
VI. systems operations and availability concerns (procedures if you are hacked);
VII. systems and network security (antivirus and firewall);
VIII. systems and network monitoring (antivirus and firewall);
IX. systems and application development and quality assurance (antivirus and firewall);
X. physical security and environmental controls (locked doors, logging off at night);
XI. customer data privacy (require passwords);
XII. vendor and third-party service provider management (assurances that your partners
XIII. risk assessment (above); and
XIV. incident response (above).
Get a free Third Party Security Vendor Report
—06 Final Steps
YOU ALSO MUST:
1. Limit and periodically review access privileges to your information system (who can log onto
2. Provide notice to the superintendent of a cybersecurity event, if one occurs (see above).
Use this NYS Security Breach Reporting Form.
Eventually, you will need a THIRD-PARTY PROVIDER SECURITY POLICY, but not until March 2019.
23 NYCRR 500.11 generally requires a Covered Entity to develop and implement written policies and procedures designed to ensure the security of the Covered Entity’s Information Systems and Nonpublic Information that are accessible to, or held by, Third- Party Service Providers.
Where Can I Get Help With This?
MDSNY offers access to a library of information and security experts on this regulation To recieve help with becomeing Compliant for 23 NYCRR 500, please drop us a line and tell us a little about what you will be needing assitance with on our Contact Us form.
For more information around the NYS Department of Financial services regulation. You may also refer to the following page: https://www.mdsny.com/the-ny-department-of-financial-services-nydfs-cyber-security-requirements-for-financial-institutions/
Meet your Security and Regulatory Complance Needs
Updating your IT Infrastructure doesn't have to be a do-it-yourself project.
With MDS, you can focus on growing your business while we take care of the technology. Our engineers go beyond standard canned offerings by creating end-to-end project solutions tailored to fit your organization's specific needs.
MDS experts are available 24/7 and have a wide range of skills that allow you to harness the power of a large IT team, without the overhead.