The New York State Department of Financial Services (NYS DFS), announced 23 New York Code Rules and Regulations 500 (23 NYCRR 500), a cybersecurity regulation for all financial institutions doing business in New York.
Today marks the end of the first major deadline for this regulation, 180 days after going into effect on March 1, 2017. By now, financial institutions doing business in New York should have a cybersecurity program, cybersecurity policies, a Chief Information Security Officer (CISO), access privileges, cybersecurity personnel, incident response plan, and notification procedures.
CCSI has outlined a great roadmap for what the requirements are and how long financial institutions will have to meet them:
23 NYCRR 500 applies to all individuals and organizations that are regulated by NYS DFS, impacting any individual or organization that “operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the [New York] banking law, the insurance law, or the financial services law.” The regulation also applies to state-charted and foreign banks licensed to operate in New York (e.g., Barclays, Deutsche Bank, Goldman Sachs Group). Additionally, the law extends to third-party suppliers who process, store, and transmit non-public information associated with these individuals and entities. There are some exceptions for individuals and entities that have less than 10 employees, less than $5 million in annual revenue, or $10 million in total asset amount at the end of the fiscal year.
Although there are 16 requirements that are focused on protecting non-public information and sensitive data, the regulation does have a lot of cross over between GLBA, SOX, and FFIEC. Unlike those other regulations, this one is fairly easy to digest and execute. In the first six months, individuals and organizations should focus on the following 7 requirements:
- 500.02 – Creation of an information security program
- 500.03 – Documentation of cyber security policies
- 500.04 – Designate a CISO to lead cyber security program
- 500.07 – Create a process/procedure to limit access and review privileges to nonpublic information
- 500.10 – Provide cyber security training for cyber security personnel
- 500.16 – A written incident response plan
- 500.17 – Notification of cyber security event and annual reporting to superintendent
Failure to understand the extensive coverage of 23 NYCRR 500, as well as the available exemptions, timing and limits of the exemptions under the final regulation, could subject a covered entity to potential penalties. Enforced by the NYS DFS under New York law. Such enforcement authority includes the ability to issue a consent order, impose a civil money penalty, or enter into a written agreement with a covered entity under New York Banking Law §§ 39, 44 and 44-a and relevant provisions of the New York Insurance Law and New York Financial Services Law. Meaning that the penalties could range from having your license revoked to a financial penalty “that shall not exceed two thousand five hundred dollars for each day during which such violation continues.” See: New York Consolidated Laws, Banking Law – BNK § 44. Violations; penalties http://codes.findlaw.com/ny/banking-law/bnk-sect-44.html
That means the penalties could range from having their license revoked to a financial penalty for knowingly and willfully not complying that would:
- 1% of the total assets of such banking organization
- 1% of the total assets of the banking subsidiaries
What If I Don’t Comply?
In the past the NYS DFS has imposed steep fines on Covered Entities (and/or demanded the termination of compliance officers) that allegedly failed to implement and maintain appropriate policies and procedures in other contexts – such as with anti-money laundering compliance programs.
STEALTHbits’ Purpose Driven solutions and approach will help you achieve NYCRR 500 compliance in a manner that is aligned with your mission and give you the technical and operational infrastructure to maintain that compliance over time. A Readiness Assessment is the first step to assessing your current NYCRR 500 compliance profile and determining exactly what you need to do to reach your goal.
If you have questions about our Readiness Assessment and Remediation Roadmap services, need NYCRR 500 assistance, or have questions about NYCRR 500 compliance, contact STEALTHbits today.
Don’t miss a post! Subscribe to The Insider Threat Security Blog here:
Gabriel Gumbs is the VP of Product Strategy at STEALTHbits Technologies responsible for end-to-end product vision and innovation. With a 16 year tenure in CyberSecurity, he has spent most of that time as a security practitioner, aligning security innovations with business objectives for Fortune 100 organizations. Gabriel is an information security thought leader, privacy advocate and public speaker.