In 2017, the New York Department of Financial Services released a new set of regulations that puts cybersecurity requirements on all covered institutions. The NYDFS Cybersecurity Regulation (23 NYCRR 500) contains 23 sections which outline the requirements for developing and implementing an effective cybersecurity program. The regulation also requires covered institutions to assess their cybersecurity risks and create plans to address those risks. The NYDFS Cybersecurity Regulation included four phases of implementation to allow covered institutions adequate time to come into compliance.
This article outlines the Cybersecurity Regulation’s requirements, describes which organizations are considered covered institutions, and highlights a software solution companies can use to help implement the security measures found in the new regulation.
Who is Covered Under the NYDFS Cybersecurity Regulation?
Per the NYDFS Cybersecurity Regulation, “covered institutions” includes all organizations operating under or required to operate under DFS licensure, registration, or charter, or which are otherwise DFS-regulated. This definition extends to unregulated third-party entities that act as service providers to regulated organizations. Examples of covered institutions include:
- Mortgage companies
- Insurance companies
- Service providers
- State-chartered banks
- Licensed lenders
- Private bankers
- Foreign banks licensed to operate in New York
Entities that exempt from the NYDFS Cybersecurity Regulation include:
- Organizations that employ less than 10 people
- Organizations that produced less than $5 million in gross annual revenue from New York operations in each of the past three years
- Organizations that hold less than $10 million in year-end total assets (exempt from some, but not all, requirements of the Regulation)
NYDFS Cybersecurity Regulation Requirements
The NYDFS Cybersecurity Regulation requires all covered institutions to install a robust cybersecurity program, designate a Chief Information Security Officer (CISO), enact and enforce a cybersecurity policy, and develop a system of reporting cybersecurity events.
In order to comply with the NYDFS Cybersecurity Regulation, a covered institution’s cybersecurity program must contain several key elements, in accordance with the NIST Cybersecurity Framework:
- Identify all cybersecurity threats, both internal and external.
- Implement defense infrastructure to protect against those threats.
- Utilize a system to detect cybersecurity events.
- Respond to all detected cybersecurity events.
- Work to recover from each cybersecurity event.
- Fulfill various requirements for regulatory reporting.
- Possess an audit trail that reflects threat detection and response activities.
- Have a written documentation of procedures, standards, and guidelines for in-house applications as well as procedures for evaluating third-party applications.
- Employ detailed data retention policy documentation, including how nonpublic personal information is disposed of.
- Use encryption and other robust security control measures
A covered institution’s cybersecurity policy must adhere to industry best practices and ISO 27001 standards. The policy should include:
- Information security
- Access controls
- Disaster recovery planning
- Systems and network security
- Customer data privacy
- Regular risk assessments
The CISO of your organization is required to draft an annual report. This report should include:
- The organization’s cybersecurity policies and procedures
- The organization’s security risks
- The effectiveness of the organization’s existing cybersecurity measures
Additional Requirements in the NYDFS Cybersecurity Regulation
In addition to fulfilling the cybersecurity program, policy, and reporting requirements, covered institutions must also:
- Use qualified, routinely trained cybersecurity personnel to manage cybersecurity threats and responses. These can be third party actors.
- Notify the NYDFS about all cybersecurity events that carry a “reasonable likelihood” of causing material harm.
- Limit and monitor access privileges granted to users
Consequences and Penalties for NYDFS Cybersecurity Regulation Violations
Currently, there are no details regarding the fines a covered institution will incur for violating the NYDFS Cybersecurity Regulation. However, the NYDFS clearly states that penalties will be placed on covered institutions that fail to comply with the Regulation.
In March of 2021, the New York Department of Financial Services fined a mortgage bank $1.5 million for violating the Cybersecurity Regulation.
How Papaya Can Help Keep Your Company in Compliance
In order to avoid paying a hefty fine to the NYDFS and incurring other penalties that can harm your organization, it’s vitally important to have a well-organized system for complying to all aspects of the NYDFS Cybersecurity Regulation. This is where Papaya can help.
Here at Papaya, we offer a software solution designed to keep your organization in compliance with the NYDFS Cybersecurity Regulation. Our software helps you easily organize, manage, and reduce your cybersecurity risk with the NIST Cybersecurity Framework
Papaya helps your organization align with all five core functions of the NIST Cybersecurity Framework:
- Identify: Understand your cybersecurity risks and priorities.
- Protect: Put controls and countermeasures in place to reduce your risks.
- Detect: Find incidents quickly so you can mitigate the damage.
- Respond: Have a plan for how to deal with incidents when they occur.
- Recover: Get your systems and operations back up and running after an incident.
Additionally, you can use Papaya to complete your Annual Risk Assessment supporting NIST CSF Compliance and fulfill your NIST CSF training requirements for your staff. You’ll also be able to easily create a comprehensive cybersecurity policy using Papaya’s policy generator tool.
Erase all worries of violating the NYDFS Cybersecurity Regulation and incurring a devastating fine. Get started with Papaya today!