On, March 1, 2019, all banks, other regulated entities and persons regulated and licensed through the Department of Financial Services (DFS) must be in compliance with the requirements of 23 NYCRR 500.11.
If you do business in New York State—and who doesn’t?—these NYDFS cybersecurity requirements apply to you; your bank must be in compliance.
What Led to NYCRR 500?
The text of the regulation describes the urgency of an “ever-growing threat posed to information and financial systems by nation-states, terrorist organizations and independent criminal actors.”
Cybercriminals, the text warns, have recently “sought to exploit technological vulnerabilities to gain access to sensitive electronic data” and pose a risk of “significant financial losses for DFS regulated entities as well as for New York consumers whose private information may be revealed and/or stolen for illicit purposes. The financial services industry is a significant target of cybersecurity threats.”
As a result, the regulation continues, “It is critical for all regulated institutions that have not yet done so to move swiftly and urgently to adopt a cybersecurity program and for all regulated entities to be subject to minimum standards with respect to their programs. The number of cyber events has been steadily increasing and estimates of potential risk to our financial services industry are stark. Adoption of the program outlined in these regulations is a priority for New York State.”
NYDFS Requirements & A Surprising Lack of Progress by Banks
There are five overarching requirements that banks must meet to establish NYDFS compliance. Surprisingly few, however, have done so – similar to the lack of preparedness for GDPR:
- Cybersecurity Risk Assessment: identification and assessment of internal and external cybersecurity risks that may threaten the security or integrity of non-public information stored on your network
- Cybersecurity Policy: implementation and maintenance of a written policy based on the cybersecurity assessment
- Named CISO: nomination of a chief information security officer (CISO); if you do not employ one, you must hire one or engage a third-party managed security provider to serve in this capacity
- Penetration Testing & Vulnerability Assessments: implementation of annual, network penetration testing and bi-annual vulnerability assessments
- Annual Attestation: annual submission of certification of compliance to the NYDFS superintendent
Specific NYDFS cybersecurity requirements cover a range of issues:
- Audit trails
- Access privileges
- Application security (e.g. mobile apps and online banking)
- Confidentiality
- Cybersecurity personnel and intelligence
- Encryption of non-public information
- Exemptions
- Incident response planning
- Limitations on data retention
- Multi-factor authentication
- Superintendent notices
- Third-party service provider security policy
- Training and monitoring
The Fastest Way to Comply with NYDFS Cybersecurity Requirements
The place to start is with an initial Security Maturity Assessment.
Contact us today to schedule your assessment. We’ll follow up with a plan for addressing the gaps and taking the steps required to reach compliance before the deadline.