NY Cybersecurity Regulation

Bookmark and Share
Back to Accume Alerts
Mar 15, 2017

Overview of New York State Department of Financial Services (NYSDFS) Regulation - 23 NYCRR 500

Regulation 23 NYCRR 500 or the Cybersecurity Requirements For Financial Service Companies regulation was originally proposed by the NYSDFS on September 13, 2016. Based on the review of comments received during the 45 day comment period ending November 14, 2016, NYSDFS issued updated proposed regulations on December 28, 2016 providing additional 30 days for comments.

Given the cybercriminals attempts at exploiting technological vulnerabilities to gain access to sensitive electronic data and their ability to cause significant financial losses for covered entities as well as the consumers whose private information may be revealed and/or stolen for illicit purposes, NYSDFS issued these regulation to promote protection of customer information as well as the information systems of covered entities. Covered entity for the purpose of this regulation means any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law. All the covered entities are required to adopt a cybersecurity program and for all regulated entities to be subject to minimum standards with respect to their programs.

The Final Rule came into effect on March 1, 2017 and provide for a transition period to enable covered entities to ensure full compliance with it. The regulation also follows a risk-based approach and allows limited exemption to smaller entities as defined in Section 500.19.

Given the size of the covered entity (fewer than 10 employees, or, less than $5,000,000 in gross revenues, or less than $10,000,000 in year-end total assets, an entity may have limited exemption from specific requirements of sections 500.04 (Chief Information Security Officer), 500.05 (Penetration Testing and Vulnerability Assessments), 500.06 (Audit Trail.), 500.08 (Application Security), 500.10 (Cybersecurity Personnel and Intelligence), 500.12 (Multi-Factor Authentication), 500.14 (Training and Monitoring), 500.15 (Encryption of Nonpublic Information), and 500.16 (Incident Response Plan). However, the following sections apply to all entities:

  • § 500.01  Provides Definitions for Terms used in the Regulation
  • § 500.02 Cybersecurity Program Requirements
  • § 500.03 Cybersecurity Policy Requirements
  • § 500.07 Need based Access
  • § 500.09 Risk Assessments of Information Systems
  • § 500.11 Security of Information Systems and Information with Third Parties
  • § 500.13 Secure Disposal Policy and Procedures
  • § 500.17 Notice of Events - to be provided within 72 hours of determination
  • § 500.20 Enforcement by NYSDFS under this and other laws
  • § 500.21 Cybersecurity Program Requirements applicable on March 1, 2017
    • Annual Certification to Superintendent by February 15th (starting in 2018)
  • § 504.22 Transitional Period of180 days for compliance (i.e. compliance required by August 28, 2017)

Descriptions of the various sections of 23 NYCRR 500 are summarized below:

Section 500.01:

  • Definition of terms - Affiliate, Authorized User, Covered Entity, Cybersecurity Event, Information System, Multi-Factor Authentication, Nonpublic Information, Penetration Testing, Publicly Available Information, Risk Assessment, Risk-Based Authentication, Senior Officer(s) and Third Party Service Provider(s).

Section 500.02:

  • Establish and Maintain Cybersecurity Program for core cybersecurity functions
  • Cybersecurity program shall be based on the Covered Entity's Risk Assessment

Section 500.03:

  • Implement and Maintain a written cybersecurity policy for protection of its Information Systems and Nonpublic Information stored on those Information Systems.
    • Policy to be approved by Senior Officer or the board of directors (or an appropriate committee thereof)

Section 500.04:

  • Designate a Chief Information Security Officer (CISO)
  • CISO responsible for Compliance with the regulation and Annual Reporting to Board of Directors or to the Senior Officer responsible for the Covered Entity's cybersecurity program

Section 500.05:

  • Continuous monitoring or periodic penetration testing and vulnerability assessment.
  • Annual penetration testing
  • Bi-annual vulnerability assessments

Section 500.06:

  • Maintain systems that.
    • Are designed to reconstruct material financial transactions
    • Include audit trails designed to detect and respond to Cybersecurity Events
    • Maintain records required by this section for not less than five years

Section 500.07:

  • Ensure Need based Access Privileges, and
    • Review these periodically

Section 500.08:

  • Cybersecurity program shall include written procedures, guidelines and standards designed to ensure the use of secure development practices for in-house developed applications, and procedures for evaluating, assessing or testing the security of externally developed applications
  • All procedures, guidelines and standards shall be periodically reviewed, assessed and updated as necessary by the CISO or his/her designee.

Section 500.09:

  • Conduct Periodic Risk Assessments of Information Systems, in accordance with written policies and procedures.

Section 500.10:

  • Utilize qualified cybersecurity personnel
  • Provide cybersecurity personnel with cybersecurity updates and training
  • Verify that key cybersecurity personnel take steps to maintain current knowledge
  • Use of Affiliate or qualified Third Party Service Provider to assist in complying with the requirements permitted subject to requirements of 500.11.

Section 500.11:

  • Implement Written Policies and Procedures to ensure security of Information Systems and Nonpublic Information accessible to or held by Third Parties.

Section 500.12:

  • Use effective controls, which may include Multi-Factor Authentication or Risk-Based Authentication
  • Utilize Multi-Factor Authentication for any individual accessing the Covered Entity's internal networks from an external network, unless reasonably equivalent or more secure access controls exist and are approved in writing.

Section 500.13:

  • Policies and procedures for Secure Disposal of any Nonpublic Information, except where required by law or regulation.

Section 500.14:

  • Procedures and controls designed to monitor the activity of Authorized Users and detect unauthorized access, use or tampering with Nonpublic information by Authorized Users
  • Provide for regular cybersecurity awareness training.

Section 500.15:

  • Implement controls, including encryption, to protect Nonpublic Information held or transmitted over external networks, or implement alternative compensating controls reviewed and approved by CISO
  • Implement controls, including encryption, to protect Nonpublic Information at rest, or implement alternative compensating controls reviewed and approved by CISO
  • If compensating controls are used, feasibility of encryption and effectiveness of the compensating controls shall be reviewed by the CISO at least annually

Section 500.16:

  • Maintain written Incident Response Plan, as part of Cybersecurity program,  addressing:
    • Internal processes for responding to a Cybersecurity Event
    • Goals of the incident response plan
    • Definition of clear roles, responsibilities and levels of decision-making authority
    • External and Internal communications and information sharing
    • Identification of requirements for the remediation of any identified weaknesses in Information Systems and associated controls
    • Documentation and reporting regarding Cybersecurity Events and related incident response activities
    • Evaluation and revision as necessary of the incident response plan following a Cybersecurity Event

Section 500.17:

  • Notices required to be provided about Cybersecurity event to the Superintendent
    • No later than 72 hours from a determination that a Cybersecurity Event has occurred

Section 500.18:

  • Information provided by a Covered Entity pursuant to this Part is subject to exemptions from disclosure under the Banking Law, Insurance Law, Financial Services Law, Public Officers Law or any other applicable state or federal law

Section 500.19:

  • Following entities are granted limited exempted from Entities with exempt from requirements of Sections specific requirements of 500.04 (Chief Information Security Officer), 500.05 (Penetration Testing and Vulnerability Assessments), 500.06 (Audit Trail.), 500.08 (Application Security), 500.10 (Cybersecurity Personnel and Intelligence), 500.12 (Multi-Factor Authentication), 500.14 (Training and Monitoring), 500.15 (Encryption of Nonpublic Information), and 500.16 (Incident Response Plan):
    • Entity with fewer than 10 employees including independent contractors.
    • Entity with less than $5,000,000 in gross annual revenue in each of the last three fiscal years
    • Entity with less than $10,000,000 in year-end total assets

Section 500.20:

  • Enforcement by NYSDFS under this and other laws

Section 500.21:

  • Effective Date: March 1, 2017
  • Annual Certificate of Compliance with NYSDFS Cybersecurity Regulations required to be submitted to the Superintendent; first certificate  - February 15, 2018

Section 500.22:

  • General Transitional Period of180 days for compliance
  • Additional transitional periods for compliance with some articles:
    • One year for sections 500.04(b), 500.05, 500.09, 500.12, and 500.14(a)(2)
    • Eighteen months for sections 500.06, 500.08, 500.13, 500.14 (a)(1) and 500.15
    • Two years for sections 500.11
Click here to get the printable version.

K.D. is the Managing Director for the New York region. He has over 30 years of experience in bank operations, internal audit, risk management, BSA/AML and regulatory compliance. He has extensive experience managing internal audit, regulatory compliance and consultancy engagements. K.D. is responsible for overseeing all banking and financial services client relationships. In this capacity, he meets regularly with the Board of Directors, Audit Committees, Audit Committee Chair and executive management of financial institutions clients, as well as with their regulators and external auditors. K.D. interacts closely with the Senior Head Office Management/Board of Directors for international banking clients. He provides strategic assistance to Board of Directors and Senior Management in resolving critical regulatory issues.

He has successfully supervised various projects, including setting up of banks and voluntary liquidation of bank charters. He is a frequent reviewer of Policies and Procedures, Risk Assessments, workpapers, and has led various Quality Assurance Reviews. He has formulated various policies and procedures and risk assessments for financial institutions, including those for Accounting, Remote Deposit Capture, Information Security, ACH, BSA/AML and OFAC. He has also been involved in many projects relating to remediation efforts of institutions under supervisory actions, Lookback, board/management/staff trainings, reviews of AML and OFAC Systems, etc. He is responsible for regulatory compliance across US offices, interfacing with regulators and training staff across offices on regulatory compliance issues. K.D. reviews and updates various audit programs and risk assessment models. He has designed customized audit programs for Independent Testing of BSA/AML Compliance at various banks, and also developed audit program for BSA/AML and Federal and State Regulatory Compliance for money services businesses.

Prior to Accume, K.D. was a Regional Head of Banking, where he implemented organizational reorganization and established internal reporting and control procedures. He also implemented business planning and reporting, risk assessment procedures, an internal audit program and coordinated and implemented a plan for migration of bank branches to new application software. K.D. was also the Head of Compliance and Risk for the US region of a financial institution, responsible for formulating policies and procedures and overseeing implementation, introducing procedures for self-testing by various compliance officers and conducting AML self-audits at offices, determining parameters for risk assessment of customers and AML monitoring and due diligence procedures. He also implemented entity-specific and enterprise-wide BSA/AML and OFAC risk assessments for the bank. Earlier, he managed the Y2K Project and was the head of Technology Department at a bank, where he implemented various projects, including ATMs and Internet Banking.

K.D. is a Trainer and is a frequent speaker on regulatory compliance and internal audit topics at conferences and seminars. He is a well published author on BSA/AML, USA PATRIOT Act and OFAC compliance matters. K.D. is a Certified AML Specialist (CAMS), Certified Regulatory Compliance Manager (CRCM) and has Certification in Risk Management Assurance (CRMA). He is also certified in programming. He is a member of the Association of Certified AML Specialists (ACAMS), Institute of Certified Bankers (ICB), Institute of Internal Auditors (IIA) and Association of International Bank Auditors (AIBA). He is a graduate of the University of Lucknow (M.S., Physics; B.S., Physics, Mathematics and Statistics).