New York State Department Of Financial Services 23 NYCRR 500

promo nydfs header
Dec 2022
Blog Home

Cybersecurity Requirements from the New York State Department Of Financial Services 23 NYCRR 500

CYBERSECURITY REQUIREMENTS FOR FINANCIAL SERVICES COMPANIES

Keep Compliant with Kingston

Manage Threats and Reduce Risks

Encrypted lineup

Available options cover every need from Personal, Corporate to Government.

  • 100% Compliant Encrypted USB data storage
  • Simple, easy to use, no software or drivers needed
  • Designed for quick and efficient deployment
Compliance logos

NYDFS - 23 NYCRR 500: Top 5 main areas to be aware of:

Top 5 main areas to make sure you're compliant:

  1. Encrypt sensitive data both in-transit and at-rest. (Section 500.15 Encryption of Nonpublic Information.)
  2. Appoint Chief Information Security Officer (CISO)
  3. Establish Cyber Security Program
  4. Adopt Cyber Security Policy
  5. Managing third party service providers
    • Includes required:
      • Annual penetration tests
      • Bi-annual vulnerability assessments
New York State Seal

Are there any penalties for non-compliance?

Under the new DFS scheme, company executives must certify compliance with the NY DFS regulations on an annual basis.

  • Should those certifications prove incorrect, they could provide the basis for the DFS or consumers to make claims against banks, insurers and other financial services firms for breach of such certification. The proposal notes that its requirements will be enforced “under any applicable laws,” which include laws:
    • e.g., New York Banking Law, New York Insurance Law
    • That contain individual civil and criminal penalties for intentionally making false statements to DFS
Are there any penalties for non-compliance?

What Do I need to know?

Highlights

  • Derived from NIST standards
  • Sweeping proposal will hold banks, insurers and other financial services firms strictly accountable for shielding both in-transit and at-rest data
  • The proposal calls for organizations to encrypt sensitive data both in-transit and at-rest
  • Effects Wall Street and about 1,900 companies with $2.9 Trillion (USD) in assets
  • Regulates who is responsible for breach, must have awareness and action plan; pushes it up to the board
  • Companies need to define criteria, have an incident response policy and update vendor management with minimum standards to do business with the financial institutions

Data encryption

  • A Kingston and IronKey Encrypted USB drive is one of the solutions to standardize on for data encryption compliance
  • The proposal calls for organizations to encrypt sensitive data both in-transit and at-rest. (Section 500.15 Encryption of Nonpublic Information.)
    • Section 500.15 Encryption of Nonpublic Information.
      • (a) As part of its cybersecurity program, based on its Risk Assessment, each Covered Entity shall implement controls, including encryption, to protect Nonpublic Information held or transmitted by the Covered Entity both in transit over external networks and at rest.
  • Requires organizations who process or hold personally identifiable information to implement adequate security to protect personal data loss.
  • Organizations will be required to include these enhanced data encryption standards in their contracts with third party service providers. (Section 500.11 Third Party Service Provider Security Policy.)
    • Organizations with large numbers of service providers, as they must take steps to confirm each service provider’s adherence to the encryption requirements.
      • Section 500.11 Third Party Service Provider Security Policy.
        • (2) the Third Party Service Provider’s policies and procedures for use of encryption as required by section 500.15 of this Part to protect Nonpublic Information in transit and at rest;

How does this affect my business?

  • Business within the banking, insurance and other financial services industry within New York City or if you provide a service or on contract as a vendor to these industry firms, you will need to follow and be subject to these rules as well.
  • You will also need to be compliant to the regulation and rules in having the right systems in place for security and data storage encryption of information.
  • Requires organizations who process or hold personally identifiable information to implement adequate security measures to protect personal data loss.

What should my business do to be compliant?

  • Map internal and external products / devices that store data
    • Log and require company equipment used to be covered under your data security policy and ensure data encryption is utilized. Items such as, but not limited to: servers, hard drives, SSDs, USB Flash drives, computers and mobile devices.
  • Inventory Analysis
    Evaluate the amount of personal data in totality.
  • Purge
    Eliminate archives of unnecessary personal identifiable information (PII).
  • Controllers of Information
    Review privacy risk and impact assessments.
  • Contracts
    Future-proof your business by enacting policies now that become mandatory after the effective start date of February 2018
  • Data Breaches
    Regulation requires notice within 72 hours.

Solution - Implement appropriate safeguards, technical standards and policies, such as, data encryption of personal data / personal identifiable information (PII) to mitigate risk of non-compliance. Learn more

Breach Notification

Notifications of data breaches must be accomplished within 72 hours of learning of the breach, where feasible, although notification need not be made to the DPA if it is unlikely to result in risk to the rights or freedoms of individuals.

Consumer Rights

What is Personal Identifiable Information (PII)?

Personally Identifiable Information (PII), or Sensitive Personal Information (SPI), as used in U.S. privacy law and information security, is information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context.

  • NIST Special Publication 800-122[4] defines PII as “any information about an individual maintained by an agency, including, (1) any information that can be used to distinguish or trace an individual's identity, such as name, social security number, date and place of birth, mother's maiden name, or biometric records; and, (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.” (For more information: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-122.pdf )
Consumer Rights

Cybersecurity Policy

(From “Cybersecurity requirements for financial services companies” document: https://www.governor.ny.gov/sites/default/files/atoms/files/Cybersecurity_Requirements_Financial_Services_23NYCRR500.pdf )

Each Covered Entity shall implement and maintain a written policy or policies, approved by a Senior Officer or the Covered Entity’s board of directors (or an appropriate committee thereof) or equivalent governing body, setting forth the Covered Entity’s policies and procedures for the protection of its Information Systems and Nonpublic Information stored on those Information Systems.

CyberSecurity

(a) information security
(b) data governance and classification
(c) asset inventory and device management
(d) access controls and identity management
(e) business continuity and disaster recovery planning and resources
(f) systems operations and availability concerns
(g) systems and network security
(h) systems and network monitoring
(i) systems and application development and quality assurance
(j) physical security and environmental controls
(k) customer data privacy
(l) vendor and Third Party Service Provider management
(m) risk assessment
(n) incident response

Key Dates under New York's Cybersecurity Regulation (23 NYCRR Part 500)

  • March 1, 2017 - 23 NYCRR Part 500 becomes effective.
  • August 28, 2017 - 180 day transitional period ends. Covered Entities are required to be in compliance with requirements of 23 NYCRR Part 500 unless otherwise specified.
  • February 15, 2018 - Covered Entities are required to submit the first certification under 23 NYCRR 500.17(b) on or prior to this date.
  • March 1, 2018 - One year transitional period ends. Covered Entities are required to be in compliance with the requirements of sections 500.04(b), 500.05, 500.09, 500.12 and 500.14(b) of 23 NYCRR Part 500.
  • September 3, 2018 - Eighteen month transitional period ends. Covered Entities are required to be in compliance with the requirements of sections 500.06, 500.08, 500.13, 500.14(a) and 500.15 of 23 NYCRR Part 500.
  • March 1, 2019 - Two year transitional period ends. Covered Entities are required to be in compliance with the requirements of 23 NYCRR 500.11.

More information

Learn More about Encrypted USB Drive - Kingston Technology
Learn More about Encrypted USB Drive - Kingston Technology