NYDFS Compliance Services

NYDFS Cybersecurity Regulation requires New York insurance companies, banks, and other regulated financial services institutions

The state of New York Department of Financial Services (“NYDFS”) finalized its new cybersecurity rule (“23 NYCRR 500”), which creates new information security requirements for a “Covered Entity” under NYDFS supervision. This new detailed regulation includes requirements to appoint a Chief Information Security Officer (“CISO”), to implement and maintain a written cybersecurity policy and the governance of a cyber security program. 

Risk Cognizance provides a Virtual CISO Security Program, which helps our clients quickly comply with the NYDFS mandates, protecting our clients from fines from the New York Department of Financial Services NYDFS.

We accomplish the above by assigning an executive-level CISO to create an NYDFS strategic plan aligned with your company’s budget and goals.  

 Cybersecurity for NYDFS Regulations

Cyber-attacks have been growing, and the New York State Department of Financial Services understands this is a growing problem; in response to the increasing cyber security threat posed to information and financial systems, the New York State Department of Financial Services (NYDFS) has passed the State of New York’s Cyber security Requirements for Financial Services Companies (23 NYCRR 500). This law took effect on March 1, 2017, to protect customer information and the IT systems of regulated entities.

What is NYDFS 23 NYCRR 500?

23 NYCRR 500 is a cybersecurity regulation passed by the New York State Department of Financial Services (NYDFS) in early 2017. According to their website, the purpose of the NYDFS cybersecurity regulations is to “promote the protection of customer information and the information technology systems of related entities.”

The New York cybersecurity regulations apply to all companies under NYDFS supervision, including state-chartered banks, charitable foundations, credit unions, insurance companies, etc.

To follow the NYDFS cybersecurity regulations, companies are now required to “assess its specific risk profile and design a program that addresses its risks in a robust fashion.” Additionally, senior management must “be responsible for the organization’s cybersecurity program and file an annual certification confirming compliance with these regulations.”

Specific NYDFS 23 NYCRR 500 cybersecurity requirements include (but are not limited to):  

  • NYDFS Risk assessments to inform the program’s design

  • NYDFS Identification and evaluation of external cybersecurity risks

  • NYDFS Controls, policies, and procedures for mitigating those risks

  • NYDFS Fulfillment of regulatory reporting requirements

  • NYDFS Chief Information Security Officer (CISO)

Data Governance and Classification

NYDFS High-Level Requirement 

  • Establish a cybersecurity program

  • Implement and maintain a written cybersecurity policy

  • Designate a CISO

  • Implement an audit trail

  • Utilize access privileges

  • Evaluate, assess, and test the security of in-house and external technology applications

  • Conduct a periodic risk assessment

  • Ensure cybersecurity personnel are appropriately trained and qualified

  • Establish policies and procedures to protect nonpublic information held by third-party service providers

  • Implement multi-factor or risk-based authentication

  • Ensure secure disposal periodically of any nonpublic information

  • Monitor and train all firm personnel

  • Encryption of nonpublic information

  • Establish a written incident response plan

  • Notify the superintendent regarding any cybersecurity event within 72 hours

For more information on NYDFS Cybersecurity Regulation Consulting Services