This site uses cookies to provide enhanced features and functionality. By using the site, you are consenting to this. Read more about our cookie policy

NEW YORK STATE DEPARTMENT OF FINANCIAL SERVICES 23 NYCRR 500

(Full Effect: 15 February 2018) Applies to every organisation in New York that processes corporate/personal data, will take effect in February 2018 with 180 days for implementation.

CYBERSECURITY REQUIREMENTS FOR FINANCIAL SERVICES COMPANIES
Keep Compliant with Kingston

Encrypted lineup

Manage Threats and Reduce Risks

Available options cover every need from Personal, Corporate to Government.

  • 100% compliant encrypted USB data storage
  • Simple, easy to use, no software or drivers needed
  • Designed for quick and efficient deployment

Compliance logos

NYDFS - 23 NYCRR 500: Top 5 main areas to be aware of:

Top 5 main areas to make sure that you’re compliant:

  1. Encrypt sensitive data both in transit and at rest. (Section 500.15 Encryption of Nonpublic Information.)
  2. Appoint a Chief Information Security Officer (CISO)
  3. Establish a Cyber Security Programme
  4. Adopt a Cyber Security Policy
  5. Managing third-party service providers
    • Includes required:
      • Annual penetration tests
      • Bi-annual vulnerability assessments

New York State Seal

Are there any penalties for non-compliance?

Are there any penalties for non-compliance?

Under the new DFS scheme, company executives must certify compliance with the NY DFS regulations on an annual basis.

  • Should those certifications prove incorrect, they could provide the basis for the DFS or consumers to make claims against banks, insurers and other financial services firms for breach of such certification. The proposal notes that its requirements will be enforced “under any applicable laws”, which include laws:
    • e.g. New York Banking Law, New York Insurance Law
    • That contain individual civil and criminal penalties for intentionally making false statements to DFS
What do I need to know?
Highlights
  • Derived from NIST standards
  • Sweeping proposal will hold banks, insurers and other financial services firms strictly accountable for shielding both in-transit and at-rest data
  • The proposal calls for organisations to encrypt sensitive data both when in transit and at rest
  • Affects Wall Street and about 1,900 companies with $2.9 trillion (USD) in assets
  • Regulates who is responsible for a breach, must have awareness and an action plan; who pushes it up to the board
  • Companies need to define criteria, have an incident response policy and update vendor management with minimum standards to do business with the financial institutions
Data encryption

Data encryption

  • A Kingston and IronKey Encrypted USB drive is one of the solutions to standardise on for data encryption compliance
  • The proposal calls for organisations to encrypt sensitive data both when in transit and at rest. (Section 500.15 Encryption of Nonpublic Information.)
    • Section 500.15 Encryption of Nonpublic Information.
      • (a) As part of its cybersecurity program, based on its Risk Assessment, each Covered Entity shall implement controls, including encryption, to protect Nonpublic Information held or transmitted by the Covered Entity both in transit over external networks and at rest.
  • Requires organisations that process or hold personally identifiable information to implement adequate security to protect against the loss of personal data.
  • Organizations will be required to include these enhanced data encryption standards in their contracts with third party service providers. (Section 500.11 Third Party Service Provider Security Policy.)
    • Organisations with a large numbers of service providers, as they must take steps to confirm each service provider’s adherence to the encryption requirements.
      • Section 500.11 Third Party Service Provider Security Policy.
        • (2) the Third Party Service Provider’s policies and procedures for use of encryption as required by section 500.15 of this Part to protect Nonpublic Information in transit and at rest;
How does this affect my business?
  • These rules affect businesses within the banking, insurance and other financial service industries within New York City. They also apply if you provide a service to these industry firms as a vendor or on a contract basis.
  • You will also have to comply with the regulations and rules on having the right systems in place for the security and encryption of stored data.
  • Requires organisations that process or hold personally identifiable information to implement adequate security measures to protect against the loss of personal data.
What should my business do to be compliant?
  • Document internal and external products/devices that store data
  • A record must be kept of the company equipment used and covered under your data security policy to ensure that data encryption is used. This includes items such as servers, hard drives, SSDs, USB Flash drives, computers and mobile devices.
  • Inventory Analysis
    Evaluate the amount of personal data in totality.
  • Purge
    Eliminate archives of unnecessary personally identifiable information (PII).
  • Controllers of Information
    Review the privacy risk and perform impact assessments.
  • Contracts
    Future-proof your business by enacting policies now that will become mandatory after the effective start date in February 2018
  • Data Breaches
    Regulation requires notice within 72 hours.

Solution - Implement appropriate safeguards, technical standards and policies, such as the data encryption of personal data / personally identifiable information (PII) to mitigate the risk of non-compliance. Learn more

Breach Notification

Notifications of data breaches must be provided within 72 hours of learning about the breach, where feasible, although notification need not be made to the DPA if it is unlikely to result in risk to the rights or freedoms of individuals.

Consumer Rights
What is Personally Identifiable Information (PII)?

Personally Identifiable Information (PII) or Sensitive Personal Information (SPI), as used in US privacy law and information security, is information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context.

  • NIST Special Publication 800-122[4] defines PII as “any information about an individual maintained by an agency, including, (1) any information that can be used to distinguish or trace an individual's identity, such as name, social security number, date and place of birth, mother's maiden name, or biometric records; and, (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.” (For more information: (For more information: http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-122.pdf )

Consumer Rights

Cybersecurity Policy

(From “Cybersecurity requirements for financial services companies” document: http://www.dfs.ny.gov/legal/regulations/adoptions/dfsrf500txt.pdf )

  • Each Covered Entity shall implement and maintain a written policy or policies, approved by a Senior Officer or the Covered Entity’s board of directors (or an appropriate committee thereof) or equivalent governing body, setting forth the Covered Entity’s policies and procedures for the protection of its Information Systems and Nonpublic Information stored on those Information Systems.

(a) information security

(b) data governance and classification

(c) asset inventory and device management

(d) access controls and identity management

(e) business continuity and disaster recovery planning and resources

(f) systems operations and availability concerns

(g) systems and network security

(h) systems and network monitoring

(i) systems and application development and quality assurance

(j) physical security and environmental controls

(k) customer data privacy

(l) vendor and Third Party Service Provider management

(m) risk assessment

(n) incident response

Key Dates under New York's Cybersecurity Regulation (23 NYCRR Part 500)
  • 1 March 2017 - 23 NYCRR Part 500 becomes effective.
  • 28 August 2017 – 180-day transitional period ends. Covered Entities are required to be in compliance with requirements of 23 NYCRR Part 500 unless otherwise specified.
  • 15 February 2018 - Covered Entities are required to submit the first certification under 23 NYCRR 500.17(b) on or prior to this date.
  • 1 March 2018 - One year transitional period ends. Covered Entities are required to be in compliance with the requirements of sections 500.04(b), 500.05, 500.09, 500.12 and 500.14(b) of 23 NYCRR Part 500.
  • 3 September 2018 - Eighteen-month transitional period ends. Covered Entities are required to be in compliance with the requirements of sections 500.06, 500.08, 500.13, 500.14(a) and 500.15 of 23 NYCRR Part 500.
  • 1 March 2019 - Two-year transitional period ends. Covered Entities are required to be in compliance with the requirements of 23 NYCRR 500.11.

This information is being provided for informational purposes only. Kingston is not providing consulting or legal advice in regards to NYDFS compliance. For additional information regarding NYDFS, please visit the relevant website at: http://www.dfs.ny.gov/about/cybersecurity.htm

        Back To Top