The New York Department of Financial Services (NYS-DFS) recently updated the model cyber security law (23 NYCRR 500) that requires financial institutions to build, update and validate a robust cyber security program. In this article we discuss key requirements and how organizations can simplify the compliance process.
What is the NYS-DFS Cyber Security Law?
The NYS-DFS Cyber Law (23 NYCRR 500) was introduced in March 2017 the New York Department of Financial Services (DFS). The law set forth a new regulatory framework that requires all financial institutions doing business in New York to adopt a formal information security program. The new “cyber security rule” law added cyber requirements to tens of thousands of financial firms. One of the key requirements that takes NYS-DFS cyber to a new level is that the law requires senior management to formally attest the program.
In November 2023 the NYS-DFS made is first major update to the framework, clarifying certain control areas and adding new requirements. The NYS-DFS is also making waves with more aggressive enforcement actions.
Who must comply with the NYS-DFS Cyber Law?
In general, any organization that is regulated by the New York Department of Financial Services must comply. This includes banks, insurance companies and other financial services firms. These are referred tp as “Covered Entities” in the formal language.
500.01 [(c)] (e) Covered entity means any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law, regardless of whether the covered entity is also regulated by other government agencies.
What organizations are exempt from NYS-DFS?
The law has some exemptions for “small organizations” such as those with fewer than 20 employees or less that $7.M USD in gross annual revenue. There are two types of exemptions: full and limited, both of which are in section 500.19. The 2023 update included clarifications on which organizations are exempt.
How many businesses must comply with NYS-DFS?
According to estimates by NYS-DFS, the law may require as many as 20,000 financial services and insurance organizations to develop, document and demonstrate compliance with cyber best practices.
It is critical for all regulated institutions that have not yet done so to move swiftly and urgently to adopt a cybersecurity program and for all regulated entities to be subject to minimum standards with respect to their programs. Adoption of the program outlined in these regulations is a priority for New York State.
How is the NYS-DFS Different from other cyber laws?
he NYS-DFS Cyber Law is different from other cyber regulations and “frameworks” (like ISO 27002 and NIST CSF) in two critical ways.
Management Accountability – First, this is the first law to require management accountability. What this means is that a member of “Senior Management” must formally sign a document that attests to the
effectiveness of the cyber program (500.17). The form must be signed and submitted directly to NYS-DFS along with related information. This is why we sometimes refer to NYS-DFS as “Sarbanes-Oxley” for cyber security.
500.17 (b) Annually each Covered Entity shall submit to the superintendent a written statement covering the prior calendar year.
Cyber Records – Second, the accountability clauses require the organization to keep a record of compliance evidence for 5 years. According the law, NYS-DFS can request any compliance record going back 5 years. This includes polices, plans, evidence and artifacts. (See ComplianceShield for a
solution to store and share compliance evidence.)
500.17 (b) Each Covered Entity shall maintain for examination by the Department all records, schedules and data supporting this certificate for a period of five years.
When do the updated NYS-DFS rules go into effect?
The updated requirements have different deadlines extended to nearly 2 years from the effective date. Some elements of the law go into effect almost immediately. For example, 500.17(a), which requires providing NYDFS with notice of cybersecurity events reported to other authorities as well as ransomware, goes into effect December 2023. For most changes the new enforcement deadline is 180 days from the effective date, or April, 2024. The vulnerability scanning and risk assessment requirements take effect 18 months from the effective data and two-factor authentication is 24 months.
What does the NYS-DFS Cyber Law Require?
The NYS-DFS Cyber Law has compliance requirements broken into 19 different sections. The majority of the categories refer to common information security controls that are part of other frameworks including ISO 27002, NIST CSF and GLBA.
500.2 (a) [Cybersecurity program.] Each covered entity shall maintain a cybersecurity program designed
to protect the confidentiality, integrity and availability of the covered entity’s information systems
and nonpublic information stored on those information systems.
In general, the law requires a Covered Entity to build and maintain a defensible cyber security program that protects sensitive customer information. The program must be continually updated based on business conditions and a formal cyber risk assessment.
Key Elements of the NYS-DFS Cyber Law
The following categories are defined in the updated NYCRR 500 cyber law.
5.02 Develop and Cyber Security Program
5.03 Develop and Update Security Policies, Plans and Procedures
This section require written information security policies to cover each specific topic area required in the other sections, including: Security Program; data governance and classification; asset inventory and device management; access controls and identity management; business continuity and disaster recovery planning and resources; systems operations and availability concerns; systems and network security; systems and network monitoring; systems and application development and quality assurance; physical security and environmental controls; customer data privacy; vendor and Third Party Service Provider management risk assessment incident response.
5.04 Appoint an Information Security Leader
5.05 Regular Vulnerability and Penetration Testing
5.06 Perform Regular IT Cyber Risk Assessments
5.07 Control Access to information
5.08 Perform Regular IT Cyber Risk Assessments
5.09 Develop Secure Applications
5.10 Train and Educate Cybersecurity Personnel
5.11 Manage Third Party Vendor Risk
5.12 Multi-factor Authentication
5.13 Asset management and data retention requirements.
5.14 Educate and Train Users
5.15 Implement two-factor authentication.
5.16 Secure collection, storage and disposal of data
5.17 Support Management Attestation and Evidence
These sections contain more specific controls that must also be implement and supported in written information security policies.
Do we need to hire a cyber security expert to implement the NYS-DFS Cyber requirements?
The NYS-DFS requires a “qualified individual” to be responsible for the information security program. (500.04) It does NOT require that this person be an outside expert. However, the law goes further to require that the individual must have adequate and “ongoing” training to support their role. For smaller organizations, hiring a full time CSO or equivalent may be beyond their budget.
While it is always best to have professional cyber security advice, hiring a cyber security expert may not be an option for many organizations. In some cases, you can enhance your team with a “Virtual CSO” that works part-time in your organization. This is a qualified individual who has all of the experience and training required to implement the program and address NYS-DFS requirements, but they are “fractional” and only assigned part time to the organization.
How can you simplify NYS-DFS Cyber Compliance?
Compliance with NYS-DFS can seem daunting, especially for organizations with limited resources and even more limited cyber security staff. However, your organization can dramatically simplify the entire process by following well-defined compliance management principles that are automated by software solutions. These solutions are often referred to as “GRC” or Governance Risk and Compliance.
For example, to dramatically reduce the cost and time of developing and implementing a cyber program, consider using an all-in-one tool like ComplianceShield. Using ComplianceShield your organization can build a complete cyber security baseline that addresses all of the NYS-DFS requirements in under 10 minutes. ComplianceShield includes the following:
- Wizard-based NYS-DFS Cyber Control Baseline to quickly define, document and start tracking the program; (5.02)
- A complete library of information security policy templates that address all of the key NYS-DFS requirements, including account management, data security, device security, third-party risk, governance, training and incident response. (5.03)
- Wizard-based IT Cyber Risk Assessment to define, address and update cyber risk (5.09)
- A Roles and Responsibilities library that documents the responsibilities of the appointed Information Security Leader (5.04)
- Compliance assessment and tracking, including management of control evidence (5.06)
- Support for internal and external audits, including integration of evidence from vulnerability scanning and log data (5.08)
- Integrated Vendor Risk Management policies and functions. (5.11)
- Built-in Asset Inventory wizard and asset management policy (5.13)
- Integrated security awareness and training courses to address the Governance and Training requirement. (5.14)
- Integrated Incident Response and Disaster Recovery functions and template Plans (5.16)
- Secure management and sharing of compliance evidence to support management attestation. (5.17)