HID logo

New York Cybersecurity Regulation — How to Deal with the Impact of 23 NYCRR 500

If you’re a financial services organization doing business in New York State, then you need to be compliant with the New York Department of Financial Services (DFS) Cybersecurity Regulation, known as 23 NYCRR 500. All banks, financial institutions, and similar businesses must understand their responsibilities under 23 NYCRR 500, particularly for strong authentication and securing data.

Financial service companies were expected to comply with all guidelines in 23 NYCRR 500 by March 1, 2019. Since then, the NY DFS has begun levying fines against non-compliant businesses, penalizing them for infractions. It is essential to understand where these businesses went wrong and how to protect your organization from the same fate.

What the NY DFS Cybersecurity Regulations Mandate

Outlined below are the requirements 23 NYCRR 500 places on financial organizations operating in the state of New York. The mandate applies to the organization, its employees, and any third-party vendors or service providers involved with cybersecurity.

Create Policies and Procedures for Protecting Information Systems
There must be an approved written policy with procedures in place to protect information systems, customer data, and other nonpublic details. The policy should be based on a complete and robust risk assessment.

Appoint a Chief Information Security Officer
All organizations should appoint a senior person who is responsible and accountable for overseeing and implementing a cybersecurity program that protects systems and data.

Carry Out Penetration Testing and Vulnerability Assessments
Financial services organizations must regularly monitor and test the security of their business systems and data. This should be based on a risk assessment and can be carried out through vulnerability scanning, penetration testing, and similar approaches.

Ensure Financial Services Have Audit Trails
All financial transactions should have an auditable history, including audit trails designed to detect and respond to cybersecurity issues that may harm business systems, operations, or data.

Put Access Privileges in Place
All systems and roles in an organization should have appropriate access privileges so that nonpublic information can only be accessed by individuals with legitimate business reasons.

Implement Strong Application Security
Application development and usage should be covered by written procedures, guidelines, and standards. These should be designed to ensure the use of both secure development practices for in-house developed applications and procedures for evaluating, assessing, and testing the security of externally developed applications.

Carry Out Regular Cybersecurity Risk Assessments
Every organization should regularly carry out risk assessments of their cybersecurity and create action plans to address any vulnerabilities, gaps, or shortfalls.

Implement Multi-factor or Risk-Based Authentication
Dependent on the risk assessment for access breaches, an organization should put multi-factor authentication or risk-based authentication in place to protect data and business systems from unauthorized access.

Dispose of Expired Data in a Safe and Secure Way
An organization must ensure that any nonpublic information no longer required is disposed of safely and securely.

Train and Monitor Employees
Organizations should monitor the activity of users when they access business systems and nonpublic information, and provide regular cybersecurity awareness training for all personnel.

Encrypt Sensitive Information
Financial service businesses should encrypt sensitive information to protect information held or transmitted both in transit over external networks, and at rest.

Implement an Incident Response Plan for Cybersecurity Breaches and Issues
The organization must implement a complete and robust incident response plan designed to respond promptly to, and recover from, any cybersecurity issue that impacts the confidentiality, integrity, or availability of business systems or sensitive information.

Why You Need to Pay Attention to 23 NYCRR 500

As of December 2018, NY DFS had received approximately 1,000 notices of cybersecurity events with multiple investigations into financial services organizations currently underway. NY DFS is implementing fines to ensure organizations become and remain compliant.

If you are responsible for cybersecurity in a financial services business operating in the state of New York, you need to ensure full compliance with the DFS requirements. Read through the regulations in detail and introduce strong risk assessment, multi-factor or risk-based authentication, and other security measures to ensure all mandated guidelines are met.

That way, you’ll not only avoid investigations, fines, or penalties, but significantly improve the integrity and security of your IT environment.

To learn more about achieving and maintaining 23 NYCRR 500 compliance, watch this on-demand webinar.

Get the latest blogs on identity and access management delivered straight to your inbox.

Olivier Thirion de Briel is Global Solutions Marketing Director for the banking sector at HID Global, leading the banking strategy and marketing for IAM solutions. Prior to joining HID Global, he managed the cloud strong authentication offering at VASCO Data Security. He previously managed Oberthur Technology’s strong authentication product line and funded two mobile companies. He holds an MBA from INSEAD, as well as an MSc in Computer and Electronic Science.