May 17, 2023
The 6 New Amendments For NYDFS
New York regulations are being updated with more stringent cyber security requirements for banking, insurance, and financial service providers. The draft updates to the regulation were released on November 9th and are currently in a 60-day comment period. Here is what you need to know.
The New York Department of Financial services previously released a draft of amendments to its former cyber regulations standard, 23 NYCRR Part 500. This proposal aims to heighten awareness for individuals and organizations alike by setting additional controls to act in accordance with the regulations.
What Is 23 NYCRR 500?
In 2017, the New York State (NYS) Department of Financial Services (DFS) implemented 23 NYCRR Part 500, a regulation establishing cybersecurity requirements for financial services companies. Chapter 23 of the New York Codes, Rules, and Regulations (NYCRR) covers financial services requirements. Part 500 addresses the protection of nonpublic information. You may also see this regulation referred to as NYS DFS 500.
Why Did New York Implement This Regulation?
New York State implemented this regulation to protect financial services markets and consumers’ private information in response to the significant growth in data breaches and cyber threats. By providing a comprehensive format, this regulation aims to standardize language and security parameters for the protection of private information within the financial space. The cyber regulation is designed to protect the integrity of individuals and organizations serving financial services. It is crucial that companies follow the regulations as there will be fines for failing to do so.
What are the consequences?
There have been multiple instances where an organization has failed to comply with the DFS leading to costly settlements. One such settlement resulted in a fine of $5 million dollars for failing to comply with regulations. Another case where an entity falsely certified with compliance resulted in a violation worth $1.8 million dollars. This highlights the severity of compliance with regulations for organizations as negligence will result in hefty fines.
- Establish a cybersecurity program and assign a qualified Chief Information Security Officer (CISO).
- Establish a cybersecurity governance program that includes regular reporting and notifications to the executive team and annual reporting to the Board of Directors on the cybersecurity program status and material risks.
- Establish and maintain cybersecurity policies. These must cover data classification, business continuity and data recovery, vendor risk management, incident response, and physical security at a minimum.
- Conduct annual penetration testing and bi-annual vulnerability assessments.
- Provide security awareness training to personnel and monitor activities of authorized users.
- Use multi-factor authentication (MFA) for accessing internal networks from external networks.
- Encrypt data in transit and at rest.
- Notify NYS Superintendent of cybersecurity events within 72 hours.
(as stated in the NYDFS Proposed Amendments Regulation)
Rigorous notification requirements
The DFS has heightened the notification requirements for organizations when alerting on incidents. Previously an organization would have to report incidents that occurred within 72 hours, however, with the newly drafted amendments unauthorized access to an elevated user’s account or ransomware would have to be reported prior as mitigative measures. The new DFS requires organizations to report any unauthorized access to a privileged users account or access into an organizations system this way less damage can occur to the organization being targeted and they have additional help/time in preventing the incident from occurring.
Increased responsibilities of CISO and of personnel supporting CISO in operations (Original requirement was to implement a role of a CISO)
Protecting data means implementing a professional in the organization who provides oversight for the security practices of the organization. The amendment states that Chief Information Security Officer (CISO) and board now have increased responsibilities regarding compliance with the regulations. The CISO is C-level executive security professional whose role focuses on personal and organizational data protection, assets, infrastructure, and IT security.
The enhanced requirements include the following:
- The CISO to be knowledgeable and experienced to provide the right leadership for governing cyber risk.
- CISO will have to review encryption efforts and report remediation and cyber event plans to the board yearly.
- All cybersecurity policies will have to be approved by the board on a yearly basis.
- All organizations should verify their compliance or noncompliance through certification(s) and further authenticate proof by oversight of both the CEO and CISO.
Increased requirements for larger organizations
Along with the additions to notification requirements, the DFS has also proposed increased requirements for “Class A” companies, or organizations with over 2,000 employees or if their revenue amounts to over $1 billion for the past three years from their business. Some of these requirements are as follows:
- Conducting more frequent system scans and reviews to identify possible vulnerabilities and report gaps after testing to management.
- Implementing EDR, logging, and monitoring solutions.
- Monitoring access and authorization of users.
- Conducting audits of their cyber programs annually done by an independent organization.
- A third party to conduct risk assessments every three years.
Increased Incident Response Requirements
While having Incident Response plans is significant, having a business continuity and disaster recovery (BCDR) plan is equally important. BCDR is vital for organizations as it aims to lessen the effects of business disruptions and outages in daily operations. An effective BCDR plan would act as a proactive measure and reduce the risk of data loss, harm to notoriety, and enhance business operations. The amendments list components such as:
- Recognizing elements of the business’s daily operations that are significant for the organizations function.
- Communications with stakeholders.
- Determining third parties that partake in a specific organizations business continuity.
- A solution for upholding the organizations procedures for data retention.
Additionally, the DFS requires that incidents be labeled by category and a corresponding action plan should be communicated to all appropriate personnel. BCDR plans should be maintained offsite, and personnel roles and responsibilities and training should be clearly communicated and disseminated.
Heightened Technology and Policy Requirements
The amendments also introduce a stricter yet foreseeable proposal of heightened policy requirements from a technical viewpoint. These requirements focus on the principle of least privilege. This means that only the minimum necessary number of users should be able to access systems and be able to perform a limited number of functions needed to do perform the work required. This highlights the need for:
- Use of Multi Factor Authentication (MFA) for remote access to the organizations information systems, third-party applications, and all privileged accounts.
- Monitoring of user privileges to ensure least privilege is being implemented.
- Email filtering to prevent harmful content from being received by authorized users.
- Stricter password policy requirements.
- Penetration-testing to be performed annually.
- A backup solution to maintain a correct and up-to-date inventory of all assets used within the organization.
The DFS has added clarification for the requirements of risk assessments to ensure that when organizations are being assessed, they are specific to the organization. This would encompass the governance, personnel, policies, procedures, products, vendors, customers, and so forth. The risk assessment would have to be updated annually and fall under the scope of the cybersecurity program of the draft amendments. Lastly, in cases where an event that results in a material change within an organization, a risk assessment must be performed.
Proposal of changes were introduced July 29, 2022 followed by a notice and comment period that is currently ongoing. The proposal of changes will go into effect at a yet to be determined date in 2023.
Certifications for compliance for the next year will have to be submitted by April 15th, 2024. Entities will have to certify compliance with the amended regulation according to the timeline contained in the final regulation.
With these new changes to the regulations, organizations will have to follow a stricter guideline and ensure that they are maintaining and performing safe practices. An increase in security will lead to higher costs and time spent on upkeeping the wellness of corporations but will ultimately lead to a strengthened and logical organizational structure. As always, companies should remember to always follow best practices to avoid any damages and familiarize themselves with the regulations.
We Can Help
Tevora has over 20 years of experience helping QSRs and retailers identify and remediate data privacy risks and vulnerabilities. We also have a deep understanding of U.S. and international data privacy laws and can help bring your organization into compliance Tevora prides itself on high quality cybersecurity consulting and has earned an ISO 17020 certification for cybersecurity inspection services including the ability to perform certifications against NYSDFS 23 NYCRR part 500. Certification Details are available here.
If you have questions about privacy laws or would like help bringing your organization into compliance, just give us a call at (833) 292-1609 or email us at firstname.lastname@example.org.