The New York Department of Financial Services (NYDFS) promulgated a new set of cybersecurity regulations for the banking, insurance, and financial sectors operating within the state. 23 NYCRR 500 went into effect on March 1, 2017. With these regulations, New York is now the first state in the country to mandate minimum cybersecurity standards. 23 NYCRR 500 sets data security requirements for all financial institutions. We have been fielding many calls from clients inquiring about these trailblazing rules. This article outlines the entities the regulations cover, the requirements those covered entities must adhere to, and a timeline for compliance.
23 NYCRR 500 applies to individuals and non-governmental entities operating in the state of New York under authorization of the Banking Law, the Insurance Law, or the Financial Services law and are known as (Covered Entities).
A Covered Entity is exempt from certain provisions* of the regulations if it has:
23 NYCRR 500.19(a) *500.04, 500.05, 500.06, 500.08, 500.10, 500.12, 500.14, 500.15, and 500.16
Certain entities that do not handle classes of nonpublic information are also exempt from certain provisions. 23 NYCRR 500.19(c) and (d).
If an entity qualifies for one of the exemptions, it must file a Notice of Exemption within 30 days of the determination of the exemptions 23 NYCRR 500.19(e).
These cybersecurity regulations are designed to promote the protection of customer information and the information technology systems of the regulated entities. Each company must assess its specific risk profile and design a program that addresses its risks in a robust fashion. Management must be informed of any risks, and how they evolve over time (23 NYCRR 500.09(a). Senior management is responsible for the entity’s cybersecurity program and must file an annual certification confirming compliance with the regulations.
Covered entities must implement and maintain a cybersecurity program and written policies, that are approved by a senior officer, board of directors or equivalent governing body, that identify the policies and procedures for the protection of its information systems and nonpublic information stored on those systems. That cybersecurity policy must be based on a risk assessment and address the following areas where applicable:
23 NYCRR 500.03 As you can see, the regulations go beyond consumer protection to include business continuity, disaster recovery, asset inventory, and systems operations.
The cybersecurity program must cover policies and procedures for:
Once the cybersecurity program is in place, it must be continuously monitored or periodically tested via periodic penetration testing and vulnerability assessments. 23 NYCRR 500.05 Entities are also required to review access privileges to information systems that provide access for non-public information, application security policies, and the risk third party service providers present. 23 NYCRR 500.05-08.
The entity needs to designate a Chief Information Security Officer (CISO) who oversees the cybersecurity program and enforces cybersecurity policy. That person can be an employee or a third-party service provider. The CISO must report, an a minimum, annually to the board of directors. 23 NYCRR 500.04.
An entity must notify the NYDFS superintendent of within 72 hours of the determination of a cybersecurity event that impacts the entity of which notice is required to be provided to any government body, self-regulatory agency, or any other supervisory body; OR that has a reasonable likelihood of materially harming any material part of the entity’s normal operations. 23 NYCRR 500.17 This includes unsuccessful attempts. 23 NYCRR 500.01(d). Annual self-certifications are also required.
Even if you are an exempt entity, you must conduct the risk assessment, establish policies for third-party service providers, establish data retention policies, and submit breach and annual notice requirements.
The requirements have varying compliance deadlines. 23 NYCRR 500.22 Here is an overview:
August 28, 2017
February 15, 2017
March 1, 2018
September 1, 2018
March 1, 2019
+Not subject to exemptions: These are just a summary of the more prominent regulations. See the 23 NYCRR 500 for the entire regulation.