NYDFS Cybersecurity Regulation

    United States of America (USA)

    NYDFS Cybersecurity Regulation

    23 NYCRR 500

    The New York Department of Financial Services (“NYDFS”or “DFS”) Cybersecurity Regulation (“the Regulation”) is intended to promote the protection of customer information as well as the information technology systems of financial services companies. The regulation became effective on March 1, 2019, after a two-year implementation period. 

     

    Last Updated: July 30, 2019


  • General

    According to a memo from the the DFS superintendent, “the purpose of the DFS cybersecurity regulation is to bolster the financial services industry’s defenses against cybersecurity attacks, in order to protect our markets and consumers’ private information.”

    The Regulation “requires all DFS regulated entities, subject to certain exemptions, to adopt the core requirement of a cybersecurity program, including a cybersecurity policy, effective access privileges, cybersecurity risk assessments, and training and monitoring for all authorized users, among other requirements. The regulation also requires the establishment of governance processes to ensure senior attention to these important protections.”

    The Regulation covers any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law of the NYDFS (“Covered Entity”)Specifically, the regulation covers:

    • Licensed lenders
    • State-chartered banks
    • Trust companies
    • Service contract providers
    • Private bankers
    • Mortgage companies
    • Insurance companies doing business in New York
    • Non-U.S. banks licensed to operate in New York

    However, the following entities are exempted from the regulation:

    • Entities with fewer than 10 employees including any independent contractors, of the covered entity or its affiliates located in New York or responsible for business of the covered entity
    • Entities with less than $5 million in gross annual revenue for three years from New York business operations of the covered entity and its affiliates, or
    • Entities with less than $10 million in year-end total assets, calculated in accordance with generally accepted accounting principles, including assets of all affiliates

    Key Definitions

    Covered Entity means any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.” (500.01(c))

    Cybersecurity Event means any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an Information System or information stored on such Information System.” (500.01(d))

    Information System means a discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of electronic information, as well as any specialized system such as industrial/process controls systems, telephone switching and private branch exchange systems, and environmental control systems.” (500.01(e))

    Nonpublic Information shall mean all electronic information that is not Publicly Available Information and is:

    1. Business related information of a Covered Entity the tampering with which, or unauthorized disclosure, access or use of which, would cause a material adverse impact to the business, operations or security of the Covered Entity; 
    2. Any information concerning an individual which because of name, number, personal mark, or other identifier can be used to identify such individual, in combination with any one or more of the following data elements: (i) social security number, (ii) drivers’ license number or non-driver identification card number, (iii) account number, credit or debit card number, (iv) any security code, access code or password that would permit access to an individual’s financial account, or (v) biometric records;
    3. Any information or data, except age or gender, in any form or medium created by or derived from a health care provider or an individual and that relates to (i) the past, present or future physical, mental or behavioral health or condition of any individual or a member of the individual’s family, (ii) the provision of health care to any individual, or (iii) payment for the provision of health care to any individual.” (500.01(g))
  • Data Minimization, Storage Limitation and Accuracy

    The Regulation requires Covered Entities to have “policies and procedures for the secure disposal on a periodic basis of any Nonpublic Information . . . that is no longer necessary for business operations or for other legitimate business purposes of the Covered Entity.” (23 NYCR 500.13)

    However, there is an exception to this requirement “where such information is otherwise required to be retained by law or regulation, or where targeted disposal is not reasonably feasible due to the manner in which the information is maintained.” (500.13)

  • Security and Prevention

    Cybersecurity Program 

    The Regulation requires Covered Entities to “maintain a cybersecurity program designed to protect the confidentiality, integrity and availability of the Covered Entity’s Information Systems.” (23 NYCR 500.02(a))

    The cybersecurity program must be based on a risk assessment and be designed to do the following:

    1. “identify and assess internal and external cybersecurity risks that may threaten the security or integrity of Nonpublic Information stored on the Covered Entity’s Information Systems;
    2. use defensive infrastructure and the implementation of policies and procedures to protect the Covered Entity’s Information Systems, and the Nonpublic Information stored on those Information Systems, from unauthorized access, use or other malicious acts;
    3. detect Cybersecurity Events;
    4. respond to identified or detected Cybersecurity Events to mitigate any negative effects;
    5. recover from Cybersecurity Events and restore normal operations and services; and
    6. fulfill applicable regulatory reporting obligations.” (500.02(b))

    Additionally, all documentation and information relevant to the cybersecurity program must be made available to the DFS superintendent upon request. (500.02(d))

    Business Continuity 

    The Regulation requires Covered Entities to “securely maintain systems that, to the extent applicable and based on its Risk Assessment:

    1. “(1) are designed to reconstruct material financial transactions sufficient to support normal operations and obligations of the Covered Entity; and
    2. (2) include audit trails designed to detect and respond to Cybersecurity Events that have a reasonable likelihood of materially harming any material part of the normal operations of the Covered Entity.” (500.06(a))

    Moreover, the Regulation requires that these records be retained for no fewer than five years and three years, respectively. (500.06(b))

    Information Security Officer  

    Covered Entities must also “designate a qualified individual responsible for overseeing and implementing” the cybersecurity program and enforcing its policies. (500.04(a)) Notably, this security officer does not need to be employed by the Covered Entity—they can also be employed by one of the Covered Entity’s Affiliates or by a Third Party Service Provider.

    In the event that a third party is used to meet this requirement, the Covered Entity do the following:

    1. “retain responsibility for compliance with the Regulation;
    2. designate a senior member of the Covered Entity’s personnel responsible for direction and oversight of the Third Party Service Provider; and
    3. require the Third Party Service Provider to maintain a cybersecurity program that protects the Covered Entity in accordance with the Regulation.” (500.04(a))

    Reporting 

    At least annually, the security officer must also provide a written report on the cybersecurity program and relevant risks to their board of directors or equivalent governing body (or to a Senior Officer responsible for the cybersecurity program if no board or equivalent body exists). (500.04(b))

    Specifically, the security officer must consider the following, where applicable:

    1. “the confidentiality of Nonpublic Information and the integrity and security of the Covered Entity’s Information Systems;
    2. the Covered Entity’s cybersecurity policies and procedures;
    3. material cybersecurity risks to the Covered Entity;
    4. overall effectiveness of the Covered Entity’s cybersecurity program; and
    5. material Cybersecurity Events involving the Covered Entity during the time period addressed by the report.” (500.04(b)(1))

    Cybersecurity Personnel and Intelligence 

    In addition to designating an information security officer, Covered Entities must also employ qualified personnel to support the the cybersecurity program. Specifically, Covered Entities must:

    1. “utilize qualified cybersecurity personnel of the Covered Entity, an Affiliate or a Third Party Service Provider sufficient to manage the Covered Entity’s cybersecurity risks and to perform or oversee the performance of the core cybersecurity functions specified in [the Regulation];
    2. provide cybersecurity personnel with cybersecurity updates and training sufficient to address relevant cybersecurity risks; and
    3. verify that key cybersecurity personnel take steps to maintain current knowledge of changing cybersecurity threats and countermeasures.” (500.10(a)

    Similar to the requirement for an information security officer (see above), Covered entiteis may “utilize an Affiliate or qualified Third Party Service Provider to assist in complying” with these requirements. (500.10(b))

    Cybersecurity Policy 

    The cybersecurity program must be based on documented and approved policies and procedures that are based on the results of the Risk Assessment. (500.03) Specifically, the documentation must be “approved by a Senior Officer or the Covered Entity’s board of directors (or an appropriate committee thereof) or equivalent governing body” and should address the following, where applicable:

    1. “information security;
    2. data governance and classification;
    3. asset inventory and device management;
    4. access controls and identity management;
    5. business continuity and disaster recovery planning and resources;
    6. systems operations and availability concerns;
    7. systems and network security;
    8. systems and network monitoring;
    9. systems and application development and quality assurance;
    10. physical security and environmental controls;
    11. customer data privacy;
    12. vendor and Third Party Service Provider management;
    13. risk assessment; and
    14. incident response.” (500.03)

    Risk Assessments 

    The Regulation requires the cybersecurity program to be based on periodic risk assessments. (500.02(b))

    The scope of the risk assessments must flexible enough to address changes to information, systems or business operations, as well as to allow for the revision of controls in response to technological developments and evolving threats. (500.09(a))

    Additionally, the Risk Assessment must be conducted according to document policies and procedures that include:

    1. “criteria for the evaluation and categorization of identified cybersecurity risks or threats facing the Covered Entity;
    2. criteria for the assessment of the confidentiality, integrity, security and availability of the Covered Entity’s Information Systems and Nonpublic Information, including the adequacy of existing controls in the context of identified risks; and
    3. requirements describing how identified risks will be mitigated or accepted based on the Risk Assessment and how the cybersecurity program will address the risks.” (500.09(b))

    Training and Monitoring 

    Covered Entities must implement policies, procedures and controls designed to monitor user activity and access to Nonpublic Information.

    Additionally, regular cybersecurity awareness training must be provided to all personnel and kept up-to-date to reflect risks identified in the risk assessment process. (500.14)

    Penetration Testing and Vulnerability Assessments 

    Covered Entities are required to conduct monitoring and testing designed to assess the effectiveness of the cybersecurity program. In general, this requirement can be met through effective continuous monitoring to detect changes in information systems that may create or indicate vulnerabilities. However, if continuous monitoring is not possible, Covered Entities must conduct:

    1. “annual Penetration Testing of the Covered Entity’s Information Systems determined each given year based on relevant identified risks in accordance with the Risk Assessment; and
    2. bi-annual vulnerability assessments, including any systematic scans or reviews of Information Systems reasonably designed to identify publicly known cybersecurity vulnerabilities in the Covered Entity’s Information Systems based on the Risk Assessment.” (500.05)

    Access Privileges 

    Covered Entities are also required to “limit user access privileges to Information Systems that provide access to Nonpublic Information” and to “periodically review such access privileges.” (500.07)

    Application Security 

    The cybersecurity program must also include “written procedures, guidelines and standards designed to ensure the use of secure development practices for in-house developed applications” as well as “procedures for evaluating, assessing or testing the security of externally developed applications” used by the Covered Entity. (500.08)

    Multi-Factor Authentication 

    Based on the results of the Covered Entity’s risk assessment, they must implement controls for protecting against unauthorized access to information, such as multi-factor or risk-based authentication. (500.12(a))

    Additionally, multi-factor authentication is required for “any individual accessing the Covered Entity’s internal networks from an external network” unless the security officer has approved of the in writing in combination with “reasonably equivalent or more secure access controls.” (500.12(b))

    Encryption 

    Covered Entities are also required to “implement controls, including encryption, to protect Nonpublic Information held or transmitted by the Covered Entity both in transit over external networks and at rest.” (500.15)

    In general, the Regulation treats encryption as the preferred method, but where this is infeasible, the Covered Entity may instead use “effective alternative compensating controls” that have been reviewed and approved by the security officer, so long as “the feasibility of encryption and effectiveness of the compensating controls” is reviewed by the security officer at least annually. (500.15)

  • Accountability and Recordkeeping

    Like many privacy and security laws, the ability for an organization to demonstrate compliance is critical under the Regulation. Specifically, the Regulation states that “[a]ll documentation and information relevant to the Covered Entity’s cybersecurity program shall be made available to the superintendent upon request.” (500.02(d) (emphasis added).

    Certificate of Compliance 

    In addition to 72 hour notices of cybersecurity events (covered in detail in the section titled “Incident and Breach” below), Covered Entities are also required to submit annual written statements to the DFS superintendent certifying compliance with the Regulation, and must maintain evidence supporting the certificate for examination by the DFS for a period of five (5) years. (500.17(b))

    Additionally, Covered Entities must document the identification of any “areas, systems or processes that require material improvement, updating or redesign” as well as the “remedial efforts planned and underway to address such areas, systems or processes,” and make this documentation available for inspection by the DFS superintendent. (500.17(b))

  • Vendor Management

    The Regulation defines “Third Party Service Provider(s)” as “a Person that (i) is not an Affiliate of the Covered Entity, (ii) provides services to the Covered Entity, and (iii) maintains, processes or otherwise is permitted access to Nonpublic Information through its provision of services to the Covered Entity.” (500.01(n))

    The Regulation also provides that Covered Entities may utilize Third Party Service Providers to serve in cybersecurity roles. See 500.04(a) and 500.10(a)(1), (b)

    Specifically, Covered Entities must do the following, with respect to vendor management:

    1. Address “vendor and Third Party Service Provider management” in a written cyber security policy (500.03(l));
    2. where using a Third Party Service Provider as an external Chief Information Security Officer (CISO) under 500.04(a), “designate a senior member of the Covered Entity’s personnel responsible for direction and oversight of the Third Party Service Provider” (500.04(a)(2));
    3. “require the Third Party Service Provider to maintain a cybersecurity program that protects the Covered Entity in accordance with the requirements of [the Regulation]” (500.04(a)(3)); and
    4. implement a “Third Party Service Provider Security Policy” that is based on the periodic Risk Assessment required under 500.09, and that addresses the following (to the extent applicable) under 500.11:
      1. “the identification and risk assessment of Third Party Service Providers;
      2. minimum cybersecurity practices required to be met by such Third Party Service Providers in order for them to do business with the Covered Entity;
      3. due diligence processes used to evaluate the adequacy of cybersecurity practices of such Third Party Service Providers; and
      4. periodic assessment of such Third Party Service Providers based on the risk they present and the continued adequacy of their cybersecurity practices.” (500.11(a)).

    Finally, the “Third Party Service Provider Security Policy” must include “relevant guidelines for due diligence and/or contractual protections relating to Third Party Service Providers including to the extent applicable guidelines addressing:

    1. the Third Party Service Provider’s policies and procedures for access controls, including its use of Multi-Factor Authentication as required by section 500.12 […], to limit access to relevant Information Systems and Nonpublic Information;
    2. the Third Party Service Provider’s policies and procedures for use of encryption as required by section 500.15 […] to protect Nonpublic Information in transit and at rest;
    3. notice to be provided to the Covered Entity in the event of a Cybersecurity Event directly impacting the Covered Entity’s Information Systems or the Covered Entity’s Nonpublic Information being held by the Third Party Service Provider; and
    4. representations and warranties addressing the Third Party Service Provider’s cybersecurity policies and procedures that relate to the security of the Covered Entity’s Information Systems or Nonpublic Information.” (500.11(b))
  • Incident and Breach

    The Regulation defines a Cybersecurity Event as “any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an Information System or information stored on such Information System.” (500.01(d))

    Incident Response Plan

    Covered Entities must “establish a written incident response plan designed to promptly respond to, and recover from, any Cybersecurity Event materially affecting the confidentiality, integrity or availability of the Covered Entity’s Information Systems or the continuing functionality of any aspect of the Covered Entity’s business or operations.” (500.16(a))

    The incident response plan must address the following:

    1. “the internal processes for responding to a Cybersecurity Event;
    2. the goals of the incident response plan;
    3. the definition of clear roles, responsibilities and levels of decision-making authority;
    4. external and internal communications and information sharing;
    5. identification of requirements for the remediation of any identified weaknesses in Information Systems and associated controls;
    6. documentation and reporting regarding Cybersecurity Events and related incident response activities; and
    7. the evaluation and revision as necessary of the incident response plan following a Cybersecurity Event.” (500.16(b))

    Notification

    Covered Entities are required to notify the DFS superintendent “as promptly as possible but in no event later than 72 hours” after determining that one of the following Cybersecurity Events has occurred:

    1. “Cybersecurity Events impacting the Covered Entity of which notice is required to be provided to any government body, self-regulatory agency or any other supervisory body; or
    2. Cybersecurity Events that have a reasonable likelihood of materially harming any material part of the normal operation(s) of the Covered Entity.” (500.17(a))

    According to the DFS superintendent, “[t]he purpose of this notice provision is to provide the Department with information relevant to its supervision of the financial services industry, including to provide confidential assistance to regulated entities with respect to information learned by the Department that could be useful to further bolster industry’s cybersecurity protections.”

    The notices are reviewed by DFS investigators who, “in consultation with [DFS] examination and supervisory teams, assess the information and take appropriate actions to address any concerns” including:

    • Providing information, subject to confidentiality requirements, to other regulated entities regarding a potential threat;
    • Alerting appropriate law enforcement bodies;
    • Ensuring that the Covered Entity addresses impacted consumers; and
    • Ensuring that “necessary steps are being taken to close and remedy the system issue that led to the breach.”

Want to learn more? Login to the full DataGuidance platform.

About OneTrust


OneTrust is the #1 most widely used privacy, security and third-party risk technology platform trusted by more than 3,000 companies to comply with the CCPA, GDPR, ISO27001 and hundreds of the world’s privacy and security laws. OneTrust's three primary offerings include OneTrust Privacy Management Software, OneTrust PreferenceChoice™ consent and preference management software, and OneTrust Vendorpedia™ third-party risk management software and vendor risk exchange. To learn more, visit OneTrust.com or connect on LinkedIn, Twitter and Facebook.