Financial services organizations doing business in New York are required to comply with the cybersecurity requirements laid out in the 23 NYCRR 500 regulation and must file a Certification of Compliance by February 15th each year.
Below we have highlighted key aspects of 23 NYCRR 500 and how Tevora’s team of security specialists can help you prepare and certify for compliance with this important regulation.
What Is 23 NYCRR 500?
In 2017, the New York State (NYS) Department of Financial Services (DFS) implemented 23 NYCRR Part 500, a regulation establishing cybersecurity requirements for financial services companies. Chapter 23 of the New York Codes, Rules, and Regulations (NYCRR) covers financial services requirements. Part 500 addresses the protection of nonpublic information. You may also see this regulation referred to as NYS DFS 500.
Who Does It Apply To?
NYSCRR 500 applies to banking, insurance, and financial services companies operating in the state of New York.
According to this framework, “Covered Entities” are defined as “any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.” While this may sound like the regulation only applies to individuals, it defines “Person” as “any individual or any non-governmental entity, including but not limited to any non-governmental partnership, corporation, branch, agency or association.”
The regulation exempts certain types of Covered Entities. Notably, these exemptions apply to some but not all of the regulation’s provisions. Exemptions apply if you meet one or more of these criteria:
- Fewer than ten employees, including subcontractors.
- Less than $5 million in gross annual revenue in each of the last three years from New York business.
- Less than $10 million in year-end assets.
- Employee, agent, rep of another Covered Entity, and you are following that entity’s cybersecurity program.
- Do not operate, maintain, utilize, or control any IT systems and do not have access to, generate, or receive nonpublic information.
More information about which regulation provisions you might be exempt from can be found here if you meet one or more of these criteria.
Why Did New York Implement This Regulation?
New York State implemented this regulation to protect financial services markets and consumers’ private information in response to the significant growth in data breaches and cyber threats. By providing a comprehensive format, this regulation aims to standardize language and security parameters for the protection of private information within the financial space.Are There Fines for Non-Compliance?
Fines for violations of 23 NYCRR 500 can be significant. Here are our estimates of what the fines could be based on the NY Banking Law:
- $2,500/day during which violation continues.
- $15,000/day in the event of any reckless or unsound practice.
- $75,000/day in the event of knowing and willful violation.
What Is Nonpublic Information?
23 NYCRR 500 was designed to protect the nonpublic information (NPI) of a Covered Entity from tampering, unauthorized disclosure, access, or use that has a material adverse impact on the business, operations, or security.
Some examples of NPI include:
- Individual name, number, personal mark, or other identifier with:
- Social security number, driver’s license number, identification card number.
- Account number, credit or debit card number.
- Security code, access code, or password that would permit access to an individual’s financial account.
- Biometric records.
- Information from a health insurance provider or an individual that relates to:
- Mental or behavioral health of any individual or a member of the individual’s family.
- The provision of health care to any individual.
- Payment for the provision of health care to any individual.
What Requirements Do We Need to Comply With?
Note a quick guide to understanding key 23 NYCRR 500 cybersecurity requirements:
- Establish a cybersecurity program and assign a qualified Chief Information Security Officer.
- Establish a cybersecurity governance program that includes regular reporting and notifications to the executive team and annual reporting to the Board of Directors on the cybersecurity program status and material risks.
- Establish and maintain cybersecurity policies. These must cover data classification, business continuity and data recovery, vendor risk management, incident response, and physical security at a minimum.
- Conduct annual penetration testing and bi-annual vulnerability assessments.
- Provide security awareness training to personnel and monitor activities of authorized users.
- Use multi-factor authentication (MFA) for accessing internal networks from external networks.
- Encrypt data in transit and at rest.
- Notify NYS Superintendent of cybersecurity events within 72 hours.
- Submit a Certification of Compliance report annually via the DFS Cybersecurity Portal. Reports covering calendar year 2021 are due on February 15, 2022.
We Can Help
If you need help meeting 23 NYCRR 500 requirements, Tevora’s team of security experts has got you covered. We are an accredited ISO 17020 Inspection Body and have been approved to perform inspections of information systems to assess their compliance with 23 NYCRR 500. We have helped many of New York’s leading financial services companies achieve 23 NYCRR 500 compliance and would welcome the chance to do this for you.
Based on our extensive experience with 23 NYCRR 500, we have developed a streamlined, three-phased approach to help our clients achieve compliance.
Phase 1 – Gap Assessment
In this phase, we review your environment to identify areas of non-compliance within23 NYCRR 500. Our findings are documented in a report that describes each control objective for which a gap was found, details of the identified gaps, and recommendations for remediation.
Phase 2 – Remediation Support
We partner with your team to take the steps needed to resolve the gaps identified in Phase 1. The work we perform will depend on the identified areas of improvement and the degree to which you would like Tevora’s help with becoming compliant with closing the gaps.
In the remediation process, we often assist with::
- Documentation Support. This includes deliverables such as developing an incident response plan or documenting policies.
- Service Support. For example, penetration testing.
- Solution Implementation. We help implement security solutions such as multi-factor authentication (MFA).
- For example, best practice recommendations for the implementation of the industry’s top technologies technology.
- Configuration Assistance. We help make configuration changes needed to meet compliance requirements.
Phase 3 – Accredited Assessment
After the improvements have been implemented, we perform an ISO 17020 Accredited Assessment to validate your compliance with 23 NYCRR 500. We document the results in a formal Assessment and Attestation report that describes Tevora staff qualifications, project scope, methodology used for the assessment, and a full review of controls mapped to supporting evidence indicating that 23 NYCRR 500 requirements have been met.
Once this phase is complete, you can be confident that your information systems meet all requirements of 23 NYCRR 500.
While the number and magnitude of gaps found for each client will have an impact on timing, we are generally able to complete all three phases within three weeks.
For a deeper dive on this subject, check out our Introduction to 23 NYCRR 500 webinar.
Here are some resources that provide additional detail on 23 NYCRR 500 and related topics:
- Tevora’s New York DFS Cybersecurity Regulation datasheet
- 23 NYCRR 500 regulation
- FAQs: 23 NYCRR Part 500 – Cybersecurity
- DFS Portal
- New York SHIELD Act
Talk to an Expert
If you have questions about 23 NYCRR 500 or would like help bringing your organization into compliance, just give us a call at (833) 292-1609 or email us at email@example.com.
About the Author
Katie Elias is an Information Security Associate at Tevora.