It was March 1, 2017. On that day, the state of New York issued the 23 NYCRR 500 regulation. But, what is that law all about? And what is its purpose? Read this post and find out.
23 NYCRR 500 – What Is This Regulation?
What is NYDFS? Well, those letters mean “New York State Department of Financial Services”. And 23 NYCRR 500 is a new set of regulations from NYDFS.
Additionally, this new regulation will be placing new cybersecurity requirements. Especially for all covered financial institutions.
So, what do you think are its covered entities? Well, they are the following:
- The service providers
- Insurance companies
- Mortgage companies
- Private bankers
- The state-chartered banks
- The Foreign banks. Especially those who have a license to operate within New York.
- Lenders with licenses.
But, companies have limited exemptions if:
- They employ less than 10 people.
- They only produce less than $5 million in gross annual revenue (for the past 3 years).
- Holding less than $10 million in year-end total assets.
What else does this regulation do? Well, 23 NYCRR 500 imposes strict cybersecurity rules. Besides, these rules include installing detailed cybersecurity plans. As well as designating a CISO.
Moreover, the enactment of cybersecurity policy will take place. As well as the initiation and reporting system for cybersecurity events.
What Are Its Compliance Requirements?
Your cybersecurity program must adhere to the following terms:
- Identify all internal and external cybersecurity threats.
- Then, employ defense infrastructure. And why? Because it will protect you against those identified threats.
- Use systems detecting cybersecurity events.
- Respond to all detected events.
- Work to recover from those events.
- Fulfill various requirements for regulatory reporting.
Cybersecurity Policy Design
This policy design must address concerns. Especially in aligning with industry best practices.
- Information security and access controls.
- Disaster recovery planning
- The systems and network security.
- Customer data privacy, as well as
- Regular risks assessment
Reporting Procedures
Phase 2 went into effect on March 1, 2018. In this phase, CISOs are to prepare an annual report. Also, the report must include the following:
- The company’s cybersecurity policies and procedures.
- The security risks, as well as
- The effectiveness of the company’s current cybersecurity measures.
The Program Development
It went into effect on September 3, 2018. And institutions must have a comprehensive cybersecurity program in place.
But what must these programs contain? Well, the programs must include the following:
- An audit trail. This trail must reflect the threat detection as well as response activities.
- Written documentation (procedures, standards, guidelines).
- Data retention policy documentation in detail. This also includes how non-public personal data is disposed of.
- Encryption
The Third-Party Securities
This is the final requirement. And it went into effect on March 1, 2019. In this phase, institutions finalize policies concerning third-parties.
Additionally, covered institutions must develop and submit written policies. Especially for third-party service providers.
Besides, this may include the following:
- Risk assessment.
- The covered financial institution’s security requirements. However, the third-party service providers also need to meet these terms.
- Processes of evaluating third-party service provider’s security practices. As well as its effectiveness.
- The periodic assessment of third-party policies and controls.