If you work in the NY insurance, banking or finance industry you are going to want to pay careful attention to this article about the sweeping new regulations being placed on businesses and organizations that have licenses issued by New York's Department of Banking and Financial Services (DFS) as your business is most likely about to have to make serious changes to your IT cyber security processes, technical safeguards and and governance. The Initial Deadline for Compliance is 8/28/2017
Do They Affect Me? Who can get 23 NYCRR 500 Exemptions? What is a limited exemption mean?
The New York Department of Financial Services (NYDFS) promulgated a new set of cybersecurity regulations for the banking, insurance, and financial sectors operating within the state. 23 NYCRR 500 went into effect on March 1, 2017. With these regulations, New York is now the first state in the country to mandate minimum cybersecurity standards. 23 NYCRR 500 sets data security requirements for all financial institutions. We have been fielding many calls from clients inquiring about these trailblazing rules. This article outlines the entities the regulations cover, the requirements those covered entities must adhere to, and a timeline for compliance.
23 NYCRR 500 applies to individuals and non-governmental entities operating in the state of New York under authorization of the Banking Law, the Insurance Law, or the Financial Services law and are known as (Covered Entities). Some examples would be Insurance companies, independent insurance adjusters as well as Financial services companies and banks.
A Covered Entity may have a limited exemption from certain provisions* of the regulations if it has:
23 NYCRR 500.19(a) *500.04, 500.05, 500.06, 500.08, 500.10, 500.12, 500.14, 500.15, and 500.16
Certain entities that do not handle classes of nonpublic information may be eligible for a limited exemption from certain provisions. 23 NYCRR 500.19(c) and (d).
If an entity qualifies for one of the exemptions, it must file a Notice of Exemption within 30 days of the determination of the exemptions 23 NYCRR 500.19(e) but it is also very important to note that even if you are covered under a limited exemption you will still need to comply with several of the requirements of the new law.
These cybersecurity regulations are designed to promote the protection of customer information and the information technology systems of the regulated entities. Each company must assess its specific risk profile and design a program that addresses its risks in a robust fashion. Management must be informed of any risks, and how they evolve over time (23 NYCRR 500.09(a). Senior management is responsible for the entity’s cybersecurity program and must file an annual certification confirming compliance with the regulations.
Covered entities must implement and maintain a cybersecurity program and written policies, that are approved by a senior officer, board of directors or equivalent governing body, that identify the policies and procedures for the protection of its information systems and nonpublic information stored on those systems. That cybersecurity policy must be based on a risk assessment and address the following areas where applicable:
23 NYCRR 500.03 As you can see, the regulations go beyond consumer protection to include business continuity, disaster recovery, asset inventory, and systems operations.
The Cybersecurity program must cover policies and procedures for:
Once the cybersecurity program is in place, it must be continuously monitored or periodically tested via periodic penetration testing and vulnerability assessments. 23 NYCRR 500.05 Entities are also required to review access privileges to information systems that provide access for non-public information, application security policies, and the risk third party service providers present. 23 NYCRR 500.05-08.
The entity needs to designate a Chief Information Security Officer (CISO) who oversees the cybersecurity program and enforces cybersecurity policy. That person can be an employee or a third-party service provider. The CISO must report, an a minimum, annually to the board of directors. 23 NYCRR 500.04.
An entity must notify the NYDFS superintendent of within 72 hours of the determination of a cybersecurity event that impacts the entity of which notice is required to be provided to any government body, self-regulatory agency, or any other supervisory body; OR that has a reasonable likelihood of materially harming any material part of the entity’s normal operations. 23 NYCRR 500.17 This includes unsuccessful attempts. 23 NYCRR 500.01(d). Annual self-certifications are also required.
Even if you are an exempt entity, you must conduct the risk assessment, establish policies for third-party service providers, establish data retention policies, and submit breach and annual notice requirements.
The requirements have varying compliance deadlines. 23 NYCRR 500.22 Here is an overview:
August 28, 2017
February 15, 2018
March 1, 2018
September 1, 2018
March 1, 2019
+Not subject to exemptions: These are just a summary of the more prominent regulations. See the 23 NYCRR 500 for the entire regulation.