Ask someone what industry experienced the most data breaches in 2016, and the answer that comes to mind may be health care or retail. However, according to the recently published 2017 Verizon Data Breach Investigations Report (DBIR), it was the finance industry that experienced the highest number of compromises, with 471 confirmed breaches. In an effort to combat the increasingly prevalent attacks on the finance service companies, the New York State Department of Financial Services (DFS) has unveiled a new cybersecurity regulation for institutions they supervise1. Effective as of March 1, 2017, this regulation is officially known as Part 500 of Title 23 of the Official Compilation of Codes, Rules and Regulations of the State of New York, or 23 NYCRR 500 for short. Let’s take a look at the regulation’s goal, who’s affected, what the requirements are, and when they need to be met.
What is the goal of 23 NYCRR 500?
- The regulation was designed to “promote the protection of customer information as well as the information technology systems of regulated entities” so that a company’s cybersecurity program can “ensure the safety and soundness of the institution and protect its customers”
Who is required to comply with this regulation?
- The regulation covers “any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law”
- There are exemptions for smaller entities
What are some of the key requirements of this regulation?
- Appoint a qualified individual as Chief Information Security Officer (“CISO”) to manage the cybersecurity program’s implementation and enforcement
- Create a cybersecurity program designed to assess internal and external risks commensurate with a risk assessment of their company
- Implement security policies and procedures
- Employ the usage of multi-factor authentication
- Confirm that third-party vendors meet security standards
- Maintain several years of audit trails
- Conduct annual penetration testing and bi-annual vulnerability assessments
- Conduct periodic risk assessment
- Implement encryption of Nonpublic Information
- Implement Incident Response Plan
- Provide cybersecurity training and monitoring
- Report cybersecurity events within 72 hours of detection
- Fulfill applicable regulatory obligations, including filing an annual certification confirming compliance
When does a company need to comply with the regulation?
- While the regulation went into effect on March 1, 2017, a company has 180 days to achieve compliance with most of the requirements
- Additional time, from 12 to 18 months, has been given to reach compliance with certain sections of the regulation
Citrin Cooperman’s Technology and Risk Advisory Consulting (TRAC) team is equipped to help a company reach compliance. TRAC has created a proprietary assessment tool to gauge a company’s compliance readiness. By completing this assessment, a company can determine if they are just a few requirements away from compliance or if a more extensive effort will be required. No matter what resources a company needs, from subject matter expertise to full implementation assistance, TRAC can help a company meet their 23 NYCRR 500 compliance needs.
1 NYS DFS supervised industries include Banks, Budget planners, Charitable Foundations, Check Cashers, Commercial Check Cashers, Common Trust Fund, Corporate Owner, Credit Unions, Exempt Mortgage Services, Foreign Agencies, Foreign Branches, Foreign Represented Offices, Holding Companies - Multi Bank/One bank, Investment Companies formed under Article XII of the New York State Banking Law (as opposed to the Investment Company Act of 1940), Licensed Lenders, Limited Purpose Trust Companies, Money Transmitters, Mortgage Bankers, Mortgage Brokers, Mortgage Exempt Organizations, Mortgage Servicers, Mutual Holding Companies, NYS Regulated Corporations, Premium Finance Agencies, Private Bankers, Safe Deposit Companies, Sales Finance Companies, Savings and Loans, Savings Banks, Subsidiary Trust Companies, Trust Companies, Virtual Currency Businesses.