Understanding NYDFS Rules: A Comprehensive Guide to Financial Regulation in New York

Sameer Ahirrao -

What is the NYDFS Cybersecurity Regulation?

The NYDFS Cybersecurity Regulation (23 NYCRR 500) is a new set of regulations from the NY Department of Financial Services (NYDFS) that places cybersecurity requirements on all covered financial institutions. The rules were released on February 16th, 2017 after two rounds of feedback from the industry and the public and includes 23 sections outlining the requirements for developing and implementing an effective cybersecurity program, requiring covered institutions to assess their cybersecurity risks and develop plans to proactively address those risks. The NYDFS Cybersecurity Regulation included a phased implementation process, with four distinct phases allowing organizations time to implement more robust policies and controls.

Who is Covered Under the NYDFS Cybersecurity Regulation?

The NYDFS Cybersecurity Regulation applies to all entities operating under or required to operate under DFS licensure, registration, or charter, or which are otherwise DFS-regulated, as well as, by extension, unregulated third-party service providers to regulated entities. Examples of covered entities include:

  • Licensed lenders
  • State-chartered banks
  • Trust companies
  • Service contract providers
  • Private bankers
  • Mortgage companies
  • Insurance companies doing business in New York
  • Non-U.S. banks licensed to operate in New York

The regulation provides an exemption for organizations with:

  • Fewer than 10 employees
  • Less than $5 million in gross annual revenue for three years, or
  • Less than $10 million in year-end total assets

How the NYDFS Cybersecurity Regulation Works?

The NYDFS Cybersecurity Regulation works by imposing strict cybersecurity rules on covered organizations, including the installment of a detailed cybersecurity plan, the designation of a Chief Information Security Officer (CISO), the enactment of a comprehensive cybersecurity policy, and the initiation and maintenance of an ongoing reporting system for cybersecurity events. These components are all made up of several sub-regulations and requirements.

NYDFS Cybersecurity Regulation Requirements

A cybersecurity program that complies with the new NYDFS Cybersecurity Regulation will adhere to several key requirements, aligned to the NIST Cybersecurity Framework:

  • Identify all cybersecurity threats, both internal and external.
  • Employ defense infrastructure to protect against those threats.
  • Use a system to detect cybersecurity events.
  • Respond to all detected cybersecurity events.
  • Work to recover from each cybersecurity event.
  • Fulfill various requirements for regulatory reporting.

Cyber Security Policy Design

The initial phase of the NYDFS Cybersecurity Regulation went into effect on February 15, 2018 and requires covered organizations to develop a cybersecurity policy, including an incident response plan that includes data breach notifications within 72 hours. The policy must address concerns in alignment with industry best practices and ISO 27001 standards. Most notably, the policy must cover:

  • Information security
  • Access controls
  • Disaster recovery planning
  • Systems and network security
  • Customer data privacy
  • Regular risk assessments

Reporting Procedures

Phase two, which went into effect on March 1, 2018, requires CISOs to prepare an annual report that includes:

  • The organization’s cybersecurity policies and procedures
  • The organization’s security risks
  • The effectiveness of the organization’s existing cybersecurity measures

Covered institutions are required to develop and implement a cybersecurity program that continuously evaluates vulnerabilities, which not only informs the annual report but also enables the organization to develop proactive responses to threats.

Program Development

Phase three, which went into effect on September 3, 2018, requires covered institutions to have a comprehensive cybersecurity program in place that contains several key elements, including:

  • An audit trail that reflects threat detection and response activities
  • Written documentation of procedures, standards, and guidelines for in-house applications as well as procedures for evaluating third-party applications
  • Detailed data retention policy documentation, including how non-public personal information is disposed
  • Encryption and other robust security control measures

Third Party Security

The final remaining requirement was effective as of March 1, 2019. This requirement states that covered institutions are to finalize their policies regarding any third party which could be given permissions to access systems and files covered by the regulation. Covered financial institutions are required to develop a written policy for third-party security that details:

  • Risk assessment of third-party service providers
  • The covered financial institution’s security requirements of third-party service providers that must be met in order to conduct business with that entity
  • Processes for evaluating the effectiveness of a third-party service provider’s security practices
  • Periodic assessments of third-party policies and controls

Additional Requirements

Organizations covered by the NYDFS Cybersecurity Regulation are also required to:

  • Use qualified, continuously trained cybersecurity personnel to manage evolving cybersecurity threats and responses. These can be third party actors.
  • Notify the NYDFS about all cybersecurity events that carry a "reasonable likelihood" of causing material harm.
  • Limit access privileges. Companies covered by the regulation must monitor and limit access privileges granted to users.

Covered Institutions Must Address New Cybersecurity Challenges

Some requirements of the NYDFS Cybersecurity Regulation go above and beyond existing industry best practices. The most noteworthy are:

  • Data encryption: Organizations must enact controls, including encryption of sensitive data, depending on the outcome of a risk assessment.
  • Annual certification: Covered entities must complete certification every year to confirm compliance with the regulations.
  • Enhanced multi-factor authentication: Covered institutions must employ multi-factor authentication for all inbound connections to the entity's network.
  • Incident reporting: Covered entities must document and report all cybersecurity events.

Best Practices for Complying with NYDFS Cybersecurity Regulation

Financial institutions face a near-term compliance challenge in the face of new NYDFS Cybersecurity Regulation. Best practices involve meeting all the requirements in a timely manner, paying special attention to deadlines, and appointing a qualified CISO to pull together an appropriate response. In preparing for NYDFS Cybersecurity Regulation compliance, be sure to:

  • Assess whether your institution classifies as "covered." There are several exemptions, but exempt organizations must file as such within 30 days of the end of the most recent fiscal year. To determine whether your organization is "covered," see the NYDFS website's "Who We Supervise" page here.
  • Assemble your organization's regulatory compliance team. All covered, non-exempt financial institutions should have assigned a Chief Information Security Officer (CISO). While the CISO holds overarching responsibility for compliance, achieving and maintaining compliance is generally a job for a team rather than an individual, especially considering that the new regulations apply enterprise-wide.
  • Understand your risk profile. The required Risk Assessment was required to be submitted by March 1, 2018. However, organizations should be conducting ongoing, periodic risk assessments to identify vulnerabilities and respond proactively to emerging threats.
  • Adhere to all deadlines. The final provisions in the new regulation went into effect on March 1, 2019.

Conclusion

NYDFS rules are comprehensive, aiming to safeguard both consumers and financial institutions. While compliance can be challenging, adherence to these regulations fosters trust and resilience in the financial sector. As regulations continue to evolve, businesses must remain agile, adopting best practices to align with NYDFS’s standards.

By understanding and implementing these rules effectively, companies can not only avoid penalties but also enhance their reputation in one of the world's most dynamic financial landscapes.

How Ardent Privacy helps to comply with NYDFS Cybersecurity Regulation?

Ardent Privacy helps organizations comply with the New York Department of Financial Services (NYDFS) Cybersecurity Regulation (23 NYCRR 500) with its innovative tool “TurtleShield” for data privacy and security management. The platform enables automated data discovery and classification, ensuring organizations can locate and safeguard sensitive information subject to NYDFS rules. It facilitates risk assessments by identifying vulnerabilities in data assets, particularly redundant, obsolete, or trivial (ROT) data, and helps prioritize remediation efforts. By supporting data minimization, Ardent Privacy reduces the risk of breaches by identifying and eliminating unnecessary or excessive data. The platform also aids in incident response preparedness by mapping critical data, helping to mitigate the impact of breaches. Additionally, it enhances compliance with access controls and encryption by identifying sensitive data that requires protection. Ardent Privacy supports regulatory documentation by generating detailed reports on data inventory and actions taken, simplifying compliance reporting. With continuous monitoring capabilities, the platform ensures that organizations can adapt to evolving regulatory requirements and emerging cybersecurity threats, offering a comprehensive solution to meet NYDFS standards.