15 Elements of the 23 NYCRR 500 Cybersecurity Regulation from NY DFS


As the first February reporting deadline approaches, here are 15 elements to consider for the most recent cybersecurity regulation by the New York State Department of Financial Services:

  1. Written Policies – Everything from information security, data governance, asset inventory, access controls, business continuity, and third-party vendor cybersecurity requirements must be adequately documented.
  2. Designated CISO – Either a third party or in-house, the Chief Information Security Officer must report directly to the board of directors and is responsible for compliance of this regulation.
  3. Pen Test and Vulnerability – Penetration testing and vulnerability assessments should be continuous, but at minimum one pen test per year and a bi-annual vulnerability scan.
  4. Audit Trails – Facilitate reconstruction of financial transactions, include audit trails to detect and respond to incidents. Retain for no less than 5 years.
  5. Access Privileges – Nonpublic data user access must be limited and periodically reviewed.
  6. Application Security – Written guidelines for secure development of in-house and procedures for evaluating security of external applications.
  7. Risk Assessment – Develop and review periodically. Must include description and identification of risks and how they will be mitigated.
  8. Cybersecurity Personnel Intel – Provide cybersecurity personnel with the necessary updates and training to stay on top of emerging cybersecurity trends and countermeasures.
  9. Third Party Service Providers – Risk assessment, minimum practices required by third party, periodic assessment. Multi-factor authentication and encryption recommended.
  10. Multi-Factor Authentication – May include in security, but must include when accessing internal network from an external network, unless CISO certifies equivalent.
  11. Data Retention Policies – There must be written procedures for the disposal of nonpublic information.
  12. Training and Monitoring – Constantly monitor for unauthorized access or tampering by authorized users. Provide regular cybersecurity awareness training for all personnel.
  13. Encryption of Nonpublic Info – If possible, incorporate in transit and at rest. Could be obviated by CISO if unfeasible, using compensating controls.
  14. Incident Response Plan – Written, must address internal process, goals, clear roles and responsibilities, external/internal communication sharing, remediation and documentation of events.
  15. Notice to Superintendent – 72 hours to notify superintendent of material events. Annual written statement submitted February 15th, with information on incidents and vulnerabilities. Must be kept for 5 years.

Remember that a certificate of compliance must be submitted each February 15, first commencing on February 15, 2018. Must be signed by chairperson of the board of directors or senior officer.

*The aforementioned does not constitute legal advice and is the opinion of the author based on the 23NYCRR500 publication.