New York State Department Of Financial Services 23 NYCRR 500

(Full Effect: February 15, 2018) Applies to every organization in New York that processes corporate / personal data, will take effect in February 2018 with 180 days for implementation.

Cybersecurity Requirements for Financial Services Companies
Keep Compliant with Kingston

Enrypted drives

Manage Threats and Reduce Risks

Available options cover every need from Personal, Corporate to Government.

  • 100% Compliant Encrypted USB data storage
  • Simple, easy to use, no software or drivers needed
  • Designed for quick and efficient deployment
NYDFS - 23 NYCRR 500

Top 4 main areas to make sure you’re compliant:

  1. Appoint Chief Information Security Officer (CISO)
  2. Establish Cyber Security Program
  3. Adopt Cyber Security Policy
  4. Managing third party service providers Includes required:
    • Annual penetration tests
    • Bi-annual vulnerability assessments
Highlights
  • Derived from NIST standards
  • Sweeping proposal will hold banks, insurers and other financial services firms strictly accountable for shielding both in-transit and at-rest data
  • The proposal calls for organizations to encrypt sensitive data both in-transit and at-rest
  • Effects Wall Street and about 1,900 companies with $2.9 Trillion (USD) in assets
  • Regulates who is responsible for breach, must have awareness and action plan; pushes it up to the board
  • Companies need to define criteria, have an incident response policy and update vendor management with minimum standards to do business with the financial institutions
Are there any penalties for non-compliance?

Are there any penalties for non-compliance?

Under the new DFS scheme, company executives must certify compliance with the NY DFS regulations on an annual basis.

  • Should those certifications prove incorrect, they could provide the basis for the DFS or consumers to make claims against banks, insurers and other financial services firms for breach of such certification. The proposal notes that its requirements will be enforced “under any applicable laws,” which include laws:
    • e.g., New York Banking Law, New York Insurance Law
    • That contain individual civil and criminal penalties for intentionally making false statements to DFS
How does this affect my business?
  • Business within the banking, insurance and other financial services industry within New York City or if you provide a service or on contract as a vendor to these industry firms, you will need to follow and be subject to these rules as well.
  • You will also need to be compliant to the regulation and rules in having the right systems in place for security and data storage encryption of information.
  • Requires organizations who process or hold personally identifiable information to implement adequate security measures to protect personal data loss.
Data encryption

Data encryption

  • The proposal calls for organizations to encrypt sensitive data both in-transit and at-rest. (Section 500.15 Encryption of Nonpublic Information.)
  • Requires organizations who process or hold personally identifiable information to implement adequate security to protect personal data loss.
  • Organizations will be required to include these enhanced data encryption standards in their contracts with third party service providers. (Section 500.11 Third Party Service Provider Security Policy.)
    • Organizations with large numbers of service providers, as they must take steps to confirm each service provider’s adherence to the encryption requirements.
  • Encryption requirements for in-transit data must be met by January 2018…
    • …while compliance for at-rest data must be met by January 2022. However, DFS expects that, prior to those dates, organizations secure nonpublic information using alternative controls that have been reviewed and approved by the Chief Information Security Officer (CISO).
What should my business do to be compliant?

What should my business do to be compliant?

  • Map internal and external products / devices that store data
  • Log and require company equipment used to be covered under your data security policy and ensure data encryption is utilized. Items such as, but not limited to: servers, hard drives, SSDs, USB Flash drives, computers and mobile devices.
  • Inventory Analysis
    Evaluate the amount of personal data in totality.
  • Purge
    Eliminate archives of unnecessary personal identifiable information (PII).
  • Controllers of Information
    Review privacy risk and impact assessments.
  • Contracts
    Future-proof your business by enacting policies now that become mandatory after the effective start date of February 2018
  • Data Breaches
    Regulation requires notice within 72 hours.

Solution - Implement appropriate safeguards, technical standards and policies, such as, data encryption of personal data / personal identifiable information (PII) to mitigate risk of non-compliance. Learn more

Breach Notification

Notifications of data breaches must be accomplished within 72 hours of learning of the breach, where feasible, although notification need not be made to the DPA if it is unlikely to result in risk to the rights or freedoms of individuals.

What is Personal Identifiable Information (PII)?

Personally Identifiable Information (PII), or Sensitive Personal Information (SPI), as used in U.S. privacy law and information security, is information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context.

  • NIST Special Publication 800-122[4] defines PII as “any information about an individual maintained by an agency, including, (1) any information that can be used to distinguish or trace an individual's identity, such as name, social security number, date and place of birth, mother's maiden name, or biometric records; and, (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.” (For more information: More )
Cybersecurity Policy

(From “Cybersecurity requirements for financial services companies” document: http://www.dfs.ny.gov/legal/regulations/adoptions/dfsrf500txt.pdf )

  • Each Covered Entity shall implement and maintain a written policy or policies, approved by a Senior Officer or the Covered Entity’s board of directors (or an appropriate committee thereof) or equivalent governing body, setting forth the Covered Entity’s policies and procedures for the protection of its Information Systems and Nonpublic Information stored on those Information Systems.

(a) information security

(b) data governance and classification

(c) asset inventory and device management

(d) access controls and identity management

(e) business continuity and disaster recovery planning and resources

(f) systems operations and availability concerns

(g) systems and network security

(h) systems and network monitoring

(i) systems and application development and quality assurance

(j) physical security and environmental controls

(k) customer data privacy

(l) vendor and Third Party Service Provider management

(m) risk assessment

(n) incident response

Key Dates under New York's Cybersecurity Regulation (23 NYCRR Part 500)
  • March 1, 2017 - 23 NYCRR Part 500 becomes effective.
  • August 28, 2017 – 180 day transitional period ends. Covered Entities are required to be in compliance with requirements of 23 NYCRR Part 500 unless otherwise specified.
  • September 27, 2017 – Initial 30 day period for filing Notices of Exemption under 23 NYCRR 500.19(e) ends. Covered Entities that have determined that they qualify for a limited exemption under 23 NYCRR 500.19(a)-(d) as of August 28, 2017 are required to file a Notice of Exemption on or prior to this date.
  • February 15, 2018 - Covered Entities are required to submit the first certification under 23 NYCRR 500.17(b) on or prior to this date.
  • March 1, 2018 - One year transitional period ends. Covered Entities are required to be in compliance with the requirements of sections 500.04(b), 500.05, 500.09, 500.12 and 500.14(b) of 23 NYCRR Part 500.
  • September 3, 2018 - Eighteen month transitional period ends. Covered Entities are required to be in compliance with the requirements of sections 500.06, 500.08, 500.13, 500.14(a) and 500.15 of 23 NYCRR Part 500.
  • March 1, 2019 - Two year transitional period ends. Covered Entities are required to be in compliance with the requirements of 23 NYCRR 500.11.
        Back To Top