Effective March 1, 2017, the New York Department of Financial Services (“NYDFS”) has implemented 23 NYCRR 500, which requires “Covered Entities” regulated by the NYDFS, and their “Third Party Service Providers”, to implement strict information security practices and procedures in order to ensure the security of Nonpublic Information. These new regulations broadly define who is included in their purview to encompass not only traditional financial services companies such as banks, insurance companies, but also entities like any business incorporated under the laws of the State of New York, foreign bank branches, charitable foundations, holding companies, mortgage bankers, mortgage and insurance brokers, and mortgage loan servicers—even those domiciled outside of the State of New York if they engage in financial or insurance services in the state. A Covered Entity is only excluded from the effect of these regulation if it has less than ten employees; annual revenues less than $5,000,000 for each of the past three years; or less than $10,000,000 in total year-end assets as calculated with GAAP, to comply with strict regulations safeguarding nonpublic information maintained or accessible to the entity. 23 NYCRR 500.19.
These regulations also require Covered Entities to “ensure the security of Information Systems and Nonpublic Information that are accessible to, or held by, Third Party Service Providers such as their attorneys, accountants, IT vendors, and any other professional who provides services to Covered Entities. 23 NYCRR 500.11(a). As a result of these regulations, Covered Entities are tasked with the job of creating written cybersecurity policies and procedures for its Third-Party Service Providers which establish minimum standards for such vendors to follow and processes to periodically audit and perform risk assessments of such vendors’ security.
Under the new regulation, every “Covered Entity” will be required to assess its specific risk profile, and design, implement, and maintain a risk program to protect the confidentiality and integrity of its information systems. Specifically, under the regulations, Covered Entities will be required to comply with all of the provisions of 23 NYCRR 500 as outlined below.
Maintain a Cybersecurity Program
The program must be designed to protect the confidentiality, integrity, and availability of the Covered Entity’s Information Systems by identifying risks, providing for a defensive data infrastructure, detecting cybersecurity events, responding to and recovering from same, and fulfilling all reporting requirements. 23 NYCRR 500.02. The Cybersecurity Program must be made readily available to the Superintendent of Financial Services.
Implement Written Cybersecurity Policies
The regulation requires covered entities, to implement a written cybersecurity policy. The written policy should address the following fourteen points (as applicable to the entity): (1) information security, (2) data governance and classification, (3) asset inventory and device management, (4) access controls and identity management, (5) business continuity, (6) systems operations and availability concerns, (7) systems and network security, (8) systems network monitoring, (9) systems and application development, (10) physical security and environmental controls, (11) customer data privacy, (12) vendor management, (13) risk assessment, and (14) incident response. 23 NYCRR 500.03.
In addition, the written policy should outline procedures for the entity during a cybersecurity event, and provide for several miscellaneous circumstances detailed below.
– Breach and Notification
Covered Entities are to establish a written response plan for any cybersecurity event addressing: the internal process for responding to a cybersecurity event, the goals of the incident response plan, definitions of roles and responsibilities of authority, external and internal communications, identification of requirements for the remediation of identified weaknesses, and evaluation of the response plan following a cybersecurity event. 23 NYCRR §§ 500.10, 500.16.
In addition, Covered Entities must provide notice of a material cybersecurity event to the Superintendent of Financial Services within 72 hours of event determination. 23 NYCRR §§ 500.10, 500.17.
Covered Entities must also address in their written policy the use of secure development practices for in-house developed applications they use, ensure security accessible to Third Party Service Providers, and provide policies and procedures for the disposal of data. 23 NYCRR §§ 500.08, 500.11, 500.13.
Appoint a Chief Information Security Officer
The regulation requires the entity appoint a Chief Information Security Officer (“CISO”) responsible for overseeing and implementing the cybersecurity program and enforcing the written policy. 23 NYCRR 500.04. The CISO of each covered entity shall report in writing on the cybersecurity program and material risks of the covered entity at least annually to its board of directors or equivalent governing body. The regulation further provides that this requirement may be met by outsourcing the CISO to a Third Party Service Provider or using an Affiliate so long as the Covered Entity follows certain provisions of the regulation.
Penetration Testing and Vulnerability Assessments
The regulations require that the Covered Entity’s cybersecurity program shall be continuously monitored and penetration testing and vulnerability assessments must be performed routinely. 23 NYCRR 500.05. The regulation requires an annual penetration test and a bi-annual vulnerability assessment.
The regulation also provides for ambiguous periodic risk assessments “sufficient to inform the design of the cybersecurity program [and] . . . updated as reasonably necessary to address changes to the Covered Entity’s Information Systems, Nonpublic Information or business operations.” 23 NYCRR 500.09.
Maintain a System to Produce Auditable Recordation of Data
The regulation requires covered entities to include audit trails to respond to cybersecurity events and maintain systems such that “material financial transactions sufficient to support normal operations” may be readily reconstructed. 23 NYCRR 500.06.
Provide Cybersecurity Training
Covered entities are required to provide regular cybersecurity awareness training for all personnel, as well as continual updates and training for cybersecurity personnel. 23 NYCRR §§ 500.10, 500.14.
Data Protection and Authentication
The regulation requires each covered entity utilize data encryption and/or similar controls to protect nonpublic information held or transmitted by the entity. 23 NYCRR 500.14.
Covered entities are also required to utilize multi-factor authentication, or similar effective controls to protect against unauthorized access to nonpublic information. 23 NYCRR 500.12.
The regulation requires covered entities submit a written compliance statement to the Superintendent of Financial Services by February 15th of each year. All records supporting the certification must be maintained for a period of five years for examination by the NYDFS.
March 1, 2017 –23 NYCRR 500 is in effect;
August 28, 2017 – covered entity’s cybersecurity program, cybersecurity policy, and response plan must all be in place; breach notification obligation effective; CISO must be appointed;
February 15, 2018 – first annual certification to the Superintendent of Financial Services due;
March 1, 2018 – penetration and vulnerability testing obligation begins; periodic assessments policy must be in place; cybersecurity awareness training must be provided to employees;
September 1, 2018 – covered entity’s audit trail policy, applications security policy, data retention policy, and authorized user monitoring policy must all be in place; encryption or alternative must be adopted; and
March 1, 2019 – third party service provider security policy in place.
23 NYCRR 500 is certain to have an impact on all financial service firms, including banks and insurance companies, regulated by the State of New York, and their outsourced professionals, regardless of whether they have a physical presence in the state. Data security measures on the level required by 23 NYCRR 500 are probably not in place in many smaller organizations at present, and implementation will be expansive and costly, but not unwarranted. To survive in a world of constant information security threats, companies doing business in or with the financial services sector must develop practices and procedures for the monitoring and protection of data.
While the requirements are extensive, 23 NYCRR 500 does provide firms a significant transitional period for full compliance. Further, the regulation permits compliance assistance from an affiliate or third party service provider of a covered entity for nearly all provisions. Accordingly, at least a portion of the burden of the regulation may be shouldered by data security specialists and counsel.
It is important to recognize that, while these regulations are among the most detailed to be adopted by a state, it is likely that other states will adopt similar regulations in the near future. For those institutions without expansive cybersecurity practices and procedures currently in place and soon to be subject to 23 NYCRR 500, it may make economic and practical sense to immediately start working on adopting stringent information security policies above and beyond those required currently required by 23 NYCRR 500 to proactively address this ever-changing marketplace.
Ezentria helps research and analytics firms implement cutting edge information security practices and procedures for all Insights Association members. Using the globally-accepted ISO 27001:2013 Information Security Management System which indicates that firms are using best practices for information security as verified by outside auditors specializing in data security. This certification evidences the organization’s commitment to its clients and suppliers that you take information security as seriously as they do and satisfies the NYDFS requirement. Please contact us to discuss our globally-accepted approach designed to help you quickly satisfy this requirement and your other information security concerns.