NYDFS Cybersecurity Regulation

Introduction

• 23 NYCRR 500 aka NYDFS Cybersecurity Regulation is a set of regulations from the New York Department of Financial Services (NYDFS) that places new cybersecurity requirements on all covered financial institutions.
• Banks, insurance companies, and companies that do business in New York must now assess their cyber risks, implement a comprehensive, written cybersecurity program, as well as manage the cyber risks of their third-party vendors. The groundbreaking regulation holds company board members personally liable for annual compliance certification.
• The rules were released on February 16th, 2017 after two rounds of feedback from industry and the public. Covered institutions must adhere to many of the new requirements as of August 28, 2017.
• NYDFS is performing an audit every year and all parts of the regulation are effective now even the section 500.11 (Third Party Service Provider Security Policy) which has an effective date of March 1, 2019.

Summary of Requirements

• Conduct a documented risk assessment
• Establish a risk-based cybersecurity program
• Adopt a written cybersecurity policy
• Designate a qualified CISO
• Implement written third-party cyber risk policies
• Establish a written incident response plan
• Notify the superintendent of DFS of any cybersecurity events
• Submit an annual certification of compliance

Requirements in Detail

Requirements are explained in a fourteen-page pdf document which is available at https://www.dfs.ny.gov/legal/regulations/adoptions/dfsrf500txt.pdf