New York State Department Of Financial Services 23 NYCRR 500

Dec 2022

Blog Home

Cybersecurity Requirements from the New York State Department Of Financial Services 23 NYCRR 500

CYBERSECURITY REQUIREMENTS FOR FINANCIAL SERVICES COMPANIES

Keep Compliant with Kingston

Manage Threats and Reduce Risks

Available options cover every need from Personal, Corporate to Government.

100% compliant encrypted USB data storage
Simple, easy to use, no software or drivers needed
Designed for quick and efficient deployment

NYDFS - 23 NYCRR 500: Top 5 main areas to be aware of:

Top 5 main areas to make sure that you’re compliant:

Encrypt sensitive data both in transit and at rest. (Section 500.15 Encryption of Nonpublic Information.)
Appoint a Chief Information Security Officer (CISO)
Establish a Cyber Security Programme
Adopt a Cyber Security Policy
Managing third-party service providers
- Includes required:
  - Annual penetration tests
  - Bi-annual vulnerability assessments

Are there any penalties for non-compliance?

Under the new DFS scheme, company executives must certify compliance with the NY DFS regulations on an annual basis.

Should those certifications prove incorrect, they could provide the basis for the DFS or consumers to make claims against banks, insurers and other financial services firms for breach of such certification. The proposal notes that its requirements will be enforced “under any applicable laws”, which include laws:
- e.g. New York Banking Law, New York Insurance Law
- That contain individual civil and criminal penalties for intentionally making false statements to DFS

Are there any penalties for non-compliance?

What Do I need to know?

Highlights

Derived from NIST standards
Sweeping proposal will hold banks, insurers and other financial services firms strictly accountable for shielding both in-transit and at-rest data
The proposal calls for organisations to encrypt sensitive data both when in transit and at rest
Affects Wall Street and about 1,900 companies with $2.9 trillion (USD) in assets
Regulates who is responsible for a breach, must have awareness and an action plan; who pushes it up to the board
Companies need to define criteria, have an incident response policy and update vendor management with minimum standards to do business with the financial institutions

Data encryption

A Kingston and IronKey Encrypted USB drive is one of the solutions to standardise on for data encryption compliance
The proposal calls for organisations to encrypt sensitive data both when in transit and at rest. (Section 500.15 Encryption of Nonpublic Information.)
- Section 500.15 Encryption of Nonpublic Information.
  - (a) As part of its cybersecurity program, based on its Risk Assessment, each Covered Entity shall implement controls, including encryption, to protect Nonpublic Information held or transmitted by the Covered Entity both in transit over external networks and at rest.
Requires organisations that process or hold personally identifiable information to implement adequate security to protect against the loss of personal data.
Organizations will be required to include these enhanced data encryption standards in their contracts with third party service providers. (Section 500.11 Third Party Service Provider Security Policy.)
- Organisations with a large numbers of service providers, as they must take steps to confirm each service provider’s adherence to the encryption requirements.
  - Section 500.11 Third Party Service Provider Security Policy.
    - (2) the Third Party Service Provider’s policies and procedures for use of encryption as required by section 500.15 of this Part to protect Nonpublic Information in transit and at rest;

How does this affect my business?

These rules affect businesses within the banking, insurance and other financial service industries within New York City. They also apply if you provide a service to these industry firms as a vendor or on a contract basis.
You will also have to comply with the regulations and rules on having the right systems in place for the security and encryption of stored data.
Requires organisations that process or hold personally identifiable information to implement adequate security measures to protect against the loss of personal data.

What should my business do to be compliant?

Document internal and external products/devices that store data
A record must be kept of the company equipment used and covered under your data security policy to ensure that data encryption is used. This includes items such as servers, hard drives, SSDs, USB Flash drives, computers and mobile devices.
Inventory Analysis
Evaluate the amount of personal data in totality.
Purge
Eliminate archives of unnecessary personally identifiable information (PII).
Controllers of Information
Review the privacy risk and perform impact assessments.
Contracts
Future-proof your business by enacting policies now that will become mandatory after the effective start date in February 2018
Data Breaches
Regulation requires notice within 72 hours.

Solution - Implement appropriate safeguards, technical standards and policies, such as the data encryption of personal data / personally identifiable information (PII) to mitigate the risk of non-compliance. Learn more

Breach Notification

Notifications of data breaches must be provided within 72 hours of learning about the breach, where feasible, although notification need not be made to the DPA if it is unlikely to result in risk to the rights or freedoms of individuals.

Consumer Rights

What is Personal Identifiable Information (PII)?

Personally Identifiable Information (PII) or Sensitive Personal Information (SPI), as used in US privacy law and information security, is information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context.

NIST Special Publication 800-122[4] defines PII as “any information about an individual maintained by an agency, including, (1) any information that can be used to distinguish or trace an individual's identity, such as name, social security number, date and place of birth, mother's maiden name, or biometric records; and, (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.” (For more information: (For more information: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-122.pdf )

Cybersecurity Policy

(From “Cybersecurity requirements for financial services companies” document: https://www.governor.ny.gov/sites/default/files/atoms/files/Cybersecurity_Requirements_Financial_Services_23NYCRR500.pdf )

Each Covered Entity shall implement and maintain a written policy or policies, approved by a Senior Officer or the Covered Entity’s board of directors (or an appropriate committee thereof) or equivalent governing body, setting forth the Covered Entity’s policies and procedures for the protection of its Information Systems and Nonpublic Information stored on those Information Systems.

(a) information security
(b) data governance and classification
(c) asset inventory and device management
(d) access controls and identity management
(e) business continuity and disaster recovery planning and resources
(f) systems operations and availability concerns
(g) systems and network security
(h) systems and network monitoring
(i) systems and application development and quality assurance
(j) physical security and environmental controls
(k) customer data privacy
(l) vendor and Third Party Service Provider management
(m) risk assessment
(n) incident response

Key Dates under New York's Cybersecurity Regulation (23 NYCRR Part 500)

1 March 2017 - 23 NYCRR Part 500 becomes effective.
28 August 2017 - 180-day transitional period ends. Covered Entities are required to be in compliance with requirements of 23 NYCRR Part 500 unless otherwise specified.
15 February 2018 - Covered Entities are required to submit the first certification under 23 NYCRR 500.17(b) on or prior to this date.
1 March 2018 - One year transitional period ends. Covered Entities are required to be in compliance with the requirements of sections 500.04(b), 500.05, 500.09, 500.12 and 500.14(b) of 23 NYCRR Part 500.

3 September 2018 - Eighteen-month transitional period ends. Covered Entities are required to be in compliance with the requirements of sections 500.06, 500.08, 500.13, 500.14(a) and 500.15 of 23 NYCRR Part 500.
1 March 2019 - Two-year transitional period ends. Covered Entities are required to be in compliance with the requirements of 23 NYCRR 500.11.

More information

Learn More about, Encrypted USB Drive - Kingston Technology

Kingston IronKey D500S hardware-encrypted USB flash drive
Military-grade FIPS 140-3 Level 3 (Pending) security

XTS-AES 256-bit hardware encryption

Available in a Managed model

USB 3.2 Gen 1

8GB, 16GB, 32GB, 64GB, 128GB, 256GB, 512GB

Up to 310MB/s read, 250MB/s write
Learn more Buy
Kingston IronKey Vault Privacy 50 Series
Enterprise-grade security

XTS-AES 256-bit hardware encryption

Available in Type-A and Type-C USB

USB 3.2 Gen 1

8GB, 16GB, 32GB, 64GB, 128GB, 256GB, 512GB

Up to 310MB/s read, 250MB/s write
Learn more Buy
DT4000G2DM
Kingston IronKey S1000 Encrypted USB Flash Drive
On-device cryptochip

USB 3.1 Gen 1 (USB 3.0)

4GB, 8GB, 16GB, 32GB, 64GB, 128GB

Up to 230MB/s read, 240MB/s write

Complex password or passphrase security
Learn more Buy
Kingston IronKey Keypad 200 Series USB Flash Drive
Military-grade FIPS 140-3 Level 3 (Pending) security

XTS-AES 256-bit hardware encryption

Available in Type-A and Type-C USB

Device/OS independent

8GB, 16GB, 32GB, 64GB, 128GB, 256GB, 512GB

Up to 280MB/s read, 200MB/s write
Learn more Buy