What is the DFS Cyber Security Regulation?
The NY DFS Cyber security Regulation (23 NYCRR 500) is a new set of regulations from the NY Department of Financial Services (NYDFS) that places new cyber security requirements on all covered financial institutions. The rules were released on February 16th, 2017 after two rounds of feedback from industry and the public. These regulations acknowledge the ever-growing threat posed to financial systems by cyber criminals, and are designed to ensure businesses effectively protect their customers’ confidential information from cyber attacks. This includes conducting regular security risk assessments, keeping audit trails of asset use, providing defensive infrastructures, maintaining policies and procedures for cyber security, and creating an incident response plan.
The goal of the regulation is to ensure the safeguarding of sensitive customer data and to promote the integrity of the information technology systems of regulated entities.
As a filling entity you must comply with:
- Limit Users Access Privileges (500.07)
- Establish Application Security Procedures (500.08)
- Perform Periodic risk assessments (500.09)
- Utilize qualified Cybersecurity Personnel to manage and oversee the performance of the cybersecurity program (500.10(a)(1))
- Establish a Cybersecurity Program (500.02)
- Develop a Cybersecurity Policy (500.03)
- Assign a Chief Information Security Officer (500.04)
- Perform Periodical Penetration and Vulnerability Testing (500.05)
- Maintain an Audit Trail designed to detect and respond to Cybersecurity Events (500.06)
- Provide cybersecurity personnel with cybersecurity updates and training (500.10(a)(2))
- Enable Multi-Factor Authentication for Information Systems (500.12)
- Employee Cybersecurity Training and Monitoring (500.14)
- Enable Data Encryption and Protection (500.15)
- Establish a Incident Response Plan (500.16)
All regulated entities will need to develop a cybersecurity policy and implement an incident response plan that includes a notification system for data breaches and cybersecurity events within 72 hours.
The DFS 23 NYCRR 500 applies to all regulated entities meaning “any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the financial Services Law”, including:
- State banks
- Licensed Lenders
- Private Banks
- Foreign Banks operating in New York
- Mortgage Companies
- Insurance companies
- Trust companies
- Service providers
Penalties pursuant to the New York Banking Law are authorized up to (a) $2,500 per day during which a violation continues, (b) $15,000 per day in the event of any reckless or unsound practice or pattern of misconduct, or (c) $75,000 per day in the event of a knowing and willful violation
600.19(a)(3) Less than $10M in year-end total assets
You are entitled to this limited exemption when your business has less than $10,000,000 in year-end total assets. You must still design and implement a Cybersecurity program, including submitting an annual Certification of Compliance.
500.19(a)(1) Fewer than 10 employees
You are entitled to this limited exemption when your business has fewer than 10 employees, including independent contractors. You must still design and implement a Cybersecurity program, including submitting an annual Certification of Compliance.
500.19(a)(2) Less than $5M in gross annual revenue
You are entitled to this limited exemption when your business has less than $5,000,000 in gross annual revenue in each of the last 3 fiscal years. You must still design and implement a Cybersecurity program, including submitting an annual Certification of Compliance.