Technology Blog »

What you Need to Know about New York's New Cyber Security Regulation

23 NYCRR 500 New York Cyber Security Regulation

New York Cyber Security Regulation – Banking, Insurance, Finance 23 NYCRR 500 Find out about the recent New York Cyber Security regulation (23 NYCRR 500) – who it affects, what is required, deadlines for compliance

Recent New York CyberSecurity Regulations: Do They Affect Me?

The New York Department of Financial Services (NYDFS) promulgated a new set of cybersecurity regulations for the banking, insurance, and financial sectors operating within the state. 23 NYCRR 500 went into effect on March 1, 2017. With these regulations, New York is now the first state in the country to mandate minimum cybersecurity standards. 23 NYCRR 500 sets data security requirements for all financial institutions. We have been fielding many calls from clients inquiring about these trailblazing rules. This article outlines the entities the regulations cover, the requirements those covered entities must adhere to, and a timeline for compliance.

Who the Regulations Cover

23 NYCRR 500 applies to individuals and non-governmental entities operating in the state of New York under authorization of the Banking Law, the Insurance Law, or the Financial Services law  and are known as (Covered Entities).

Am I exempt from 23 NYCRR 500?

A Covered Entity is exempt from certain provisions* of the regulations if it has:

  1. Fewer than 10 employees, including any independent contractors of the entity or its affiliates located in New York or responsible for business of the entity
  2. Less than $5 million in gross annual revenue in each of the last three fiscal years from New York business operations of the entity and is affiliates
  3. Less than $10 million in year-end total assets, including assets of the affiliates, calculated in accordance with generally accepted accounting principles

23 NYCRR 500.19(a) *500.04, 500.05, 500.06, 500.08, 500.10, 500.12, 500.14, 500.15, and 500.16

Certain entities that do not handle classes of nonpublic information are also exempt from certain provisions. 23 NYCRR 500.19(c) and (d).

If an entity qualifies for one of the exemptions, it must file a Notice of Exemption within 30 days of the determination of the exemptions 23 NYCRR 500.19(e).

The Requirements of 23 NYCRR 500

These cybersecurity regulations are designed to promote the protection of customer information and the information technology systems of the regulated entities. Each company must assess its specific risk profile and design a program that addresses its risks in a robust fashion. Management must be informed of any risks, and how they evolve over time (23 NYCRR 500.09(a). Senior management is responsible for the entity’s cybersecurity program and must file an annual certification confirming compliance with the regulations.

Covered entities must implement and maintain a cybersecurity program and written policies, that are approved by a senior officer, board of directors or equivalent governing body, that identify the policies and procedures for the protection of its information systems and nonpublic information stored on those systems. That cybersecurity policy must be based on a risk assessment and address the following areas where applicable:

  • Information security
  • Data governance and classification
  • Asset inventory and device management
  • Access controls and identity management
  • Business Continuity and Disaster Recovery planning
  • Systems operations and availability
  • Systems and network security and monitoring
  • Systems and application development and quality assurance
  • Physical security and environmental controls
  • Customer data privacy
  • Vendor and third party service provider management
  • Risk assessment
  • Incident response

23 NYCRR 500.03 As you can see, the regulations go beyond consumer protection to include business continuity, disaster recovery, asset inventory, and systems operations.

The cybersecurity program must cover policies and procedures for:

  • Cybersecurity personnel and intelligence
  • Third party service provider security
  • Multi-factor authentication
  • Limitations on data retention
  • Training and monitoring of personnel
  • Encryption of non-public information
  • Incidence response plan

23 NYCRR 500.10-16

Once the cybersecurity program is in place, it must be continuously monitored or periodically tested via periodic penetration testing and vulnerability assessments. 23 NYCRR 500.05 Entities are also required to review access privileges to information systems that provide access for non-public information, application security policies, and the risk third party service providers present. 23 NYCRR 500.05-08.

The entity needs to designate a Chief Information Security Officer (CISO) who oversees the cybersecurity program and enforces cybersecurity policy. That person can be an employee or a third-party service provider. The CISO must report, an a minimum, annually to the board of directors. 23 NYCRR 500.04.

An entity must notify the NYDFS superintendent of within 72 hours of the determination of a cybersecurity event that impacts the entity of which notice is required to be provided to any government body, self-regulatory agency, or any other supervisory body; OR that has a reasonable likelihood of materially harming any material part of the entity’s normal operations. 23 NYCRR 500.17 This includes unsuccessful attempts. 23 NYCRR 500.01(d). Annual self-certifications are also required.

Even if you are an exempt entity, you must conduct the risk assessment, establish policies for third-party service providers, establish data retention policies, and submit breach and annual notice requirements.

Deadlines for Compliance

The requirements have varying compliance deadlines. 23 NYCRR 500.22 Here is an overview:

August 28, 2017

  • Cybersecurity program in place
  • Cybersecurity policy created
  • Designation of a CISO
  • Limitation of user access privileges
  • Use, training and verification of cybersecurity personnel and intelligence
  • Development of an incident response plan

February 15, 2017

  • First annual certification of compliance+

March 1, 2018

  • Monitoring and periodic penetration testing and vulnerability assessments
  • Risk assessment+
  • Multi-factor authentication
  • Training and monitoring
  • First CISO report to board of directors

September 1, 2018

  • Implementation of audit trail
  • Application security
  • Limitations on data retention+
  • Establishment of a monitoring program
  • Encryption of nonpublic information

March 1, 2019

  • Creation of third party service provider security policy+

+Not subject to exemptions: These are just a summary of the more prominent regulations. See the 23 NYCRR 500 for the entire regulation.