fbpx

NY DFS 23 NYCRR 500 Compliance

What is the New York Cybersecurity Regulation?

23 NYCRR Part 500 Financial Services Law The Department of Financial Services, (DFS), has broad authority to take appropriate actions to ensure providers of financial products and services to NY consumers remain solvent, protect consumers, and act reasonably to protect against financial fraud, criminal abuse, and unethical conduct.  With Cybercrime on the rise, the DFS proposed new Cybersecurity Requirements for Financial Services Companies, which are designed to ensure safe and sound operations of Financial Providers, and protect New York’s consumers. Covered entities include but are not limited to, Banks, Lenders, Insurance Companies.  To see if your classification of business is affected, click here.

The proposed rule specifically requires what each supervised entity needs to do. This includes the following:

  • Establish a Cybersecurity Program
  • Maintain written Cybersecurity Policies
  • Follow Data Governance and Classification practices
  • Annual Penetration Testing
  • Quarterly Vulnerability Assessments
  • Institution of Log Management
  • Implementation of Access Controls based on “Least Privilege”
  • Development of an Application Security Practice for internally developed applications
  • Annual Risk Assessment
  • Employ Cybersecurity professionals to manage your risks
  • Launch a Third Party Information Security Policy and Risk Management Program
  • Configure Multi-Factor Authentication
  • Implement Record Retention Policies and Procedures
  • Provide Security Awareness Training
  • Institute Data Encryption for data in transit or stored
  • Develop and test a security Incident Response Plan
  • Report on a bi-annual basis to the company’s board or governing body on risks
  • Annually certify your compliance to the DFS

Deadlines for Compliance

The 23 NYCRR 500.22 requirements have varying compliance deadlines. Here is an overview:

August 28, 2017

  • Cybersecurity program in place
  • Cybersecurity policy created
  • Designation of a CISO
  • Limitation of user access privileges
  • Use, training and verification of cybersecurity personnel and intelligence
  • Development of an incident response plan

February 15, 2017

  • First annual certification of compliance

March 1, 2018

  • Monitoring and periodic penetration testing and vulnerability assessments
  • Risk Assessment
  • Multi-factor authentication
  • Training and Monitoring
  • First CISO report to board of directors

September 1, 2018

  • Implementation of audit trail
  • Application security
  • Limitations of data retention
  • Establishment of a monitoring program
  • Encryption of nonpublic information

March 1, 2019

  • Creation of third party service provider security policy

JLS Technology can help your organization become compliant with NYS DFS 23NYCRR 500 today!

Contact us for more info 973-968-4804 will@jlstech.com