Amendment to New York Department of Financial Services:

Cybersecurity Regulation 23 NYCRR 500

Posted June 22, 2023 | by Stan Letarte, Senior Security Strategist, GreyCastle Security
Check out our Webinar, Cybersecurity Regulations Impact Financial Orgs (NYDFS Regulation 23 NYCRR 500)

The New York State Department of Financial Services (DFS) has proposed an amendment that will significantly update the 23 NYCRR 500 regulation, cybersecurity requirements for financial services companies, commonly referred to as Part 500.

Failure to comply may result in civil penalties in the millions of dollars; you can read more about these actions at the Department of Financial Services Enforcement Actions website.

The goal of the amendment is to ensure financial organizations are adequately protecting sensitive consumer information. Covered entities (CEs) must comply with new requirements in phases, starting on the effective date of the second amendment (See, with exceptions for certain provisions. Some are suggesting that the law is likely to be ratified in 2023.

Five Steps to Align With New DFS 23 NYCRR 500 Amendment

It is important to organize and understand the necessary changes and the impacts they will have to effectively plan, budget, and become compliant. Many of these changes have organization-wide impacts and require awareness and support from many business units.

1. 1. 1. Understand the changes
    2. Identify gaps in current program
    3. Build a corrective action plan
    4. Align stakeholders
    5. Remediate gaps

DFS 23 NYCRR 500 Amendment Checklist

500.01 DEFINITIONS

- - Validate what “class” your organization is now defined as
  - Validate if you are a “covered entity”
  - Understand material changes to clarified definitions for Independent Audit, Privileged Account, Risk Assessment, and Senior Governing Body

500.02 CYBERSECURITY PROGRAM

- - Nonpublic Information (NPI) now includes the data itself, not only the information systems.
  - Class A companies must have an independent audit, at least annually

500.03 CYBERSECURITY POLICY

- - Policy must be approved at least annually by the senior governing body (i.e., the Board)
  - Policy must now be implemented with supporting procedures
  - New Policies must be implemented for Data Retention, Remote Access Control, End-of-life Device Management, Security Awareness Training, and Vulnerability Management

500.04 CYBERSECURITY GOVERNANCE (formerly Chief Information Security Officer)

- - CISO/Qualified Individuals must have adequate independence and authority and must report to the board.
  - Establish a senior governing body that must (1) exercise oversight of risk management, (2) require executive management to develop & maintain cybersecurity program, (3) have sufficient expertise and knowledge to oversee cybersecurity risk management effectively

500.05 VULNERABILITY MANAGEMENT (formerly “Penetration Testing and Vulnerability Management)

- - Requires a qualified independent party (internal or external)
  - Provide timely remediation for flaws
  - Document and report material issues to the senior governing body and senior management

500.07 ACCESS PRIVILEGES AND MANAGEMENT (formerly “Access Privileges”)

- - Access privileges must be limited to those necessary to perform the user’s job
  - Limit the number of privileged accounts
  - Separate accounts for privileged access
  - Perform, at least annually, access reviews and account reviews
  - Disable or securely configure all protocols that allow remote control of devices
  - Promptly terminate access following departures
  - Maintain a password policy that implements industry-standard mechanisms
  - Class A companies must implement (1) privileged access management solutions and (2) an automatic method of blocking commonly used passwords.

500.08 APPLICATION SECURITY

- - At least annually, review application security procedures, standards, and guidelines

500.09 RISK ASSESSMENT

- - Review and update at least annually and whenever a change in the business or technology causes a material change to cyber risk
  - Class A companies must use external experts to conduct the risk assessment

500.11 THIRD-PARTY SERVICE PROVIDER POLICY

- - Removed the limited exemption for third parties that are covered entities

500.12 MULTI-FACTOR AUTHENTICATION

- - Allows for a “risk-based authentication”
  - Allows for CISO approval of equivalent or more secure compensating controls
  - Specifies three areas of implementation: (1) remote access to the CE’s systems, (2) remote access to third-party applications from which CE NPI is accessible, (3) all privileged accounts
  - For more information, consult the NYS DFS December 7, 2021, Industry letter about MFA

500.13 ASSET MANAGEMENT AND DATA RETENTION REQUIREMENTS (formerly “Limits on Data Retention”)

- - Asset Inventory must include owner, location, classification/sensitivity, support expiration date, and recovery time for each asset

500.14 – MONITORING AND TRAINING (formerly “Training & Monitoring”)

- - Malicious code protection / email and web filtering are mandatory
  - Minimum annual awareness training, including social engineering
  - Class A companies must implement endpoint protection and centralized logging and alerting

500.15 PROTECTION OF NONPUBLIC INFORMATION (formerly “Encryption”)

- - Must have a written policy requiring encryption that meets industry standards
  - Must have written approval from the CISO

500.16 INCIDENT RESPONSE AND BUSINESS CONTINUITY MANAGEMENT (formerly “Incident Response Plan”)

- - Requires proactive measures to ensure resilience as part of the plan
  - Requires a business continuity, disaster recovery plan, and supporting processes, including training and testing.

500.17 NOTICES TO SUPERINTENDENT

- - Specific cybersecurity event notification requirements, including updated timelines
  - Certification notification to the superintendent requires an annual written statement demonstrating areas of compliance and non-compliance
  - Extortion payment (ransomware) notification within 24 hours and a full report within 30 days

500.22 TRANSITIONAL PERIODS

- - The second amendment shall become effective on publication of the Notice of Adoption in the State Register.
  - After that date, Covered Entities are expected to have:
  - Immediate compliance with the new requirements specified in sections 500.19(e)-(h), 500.20, 500.21, 500.22 and 500.24
  - 30 days to comply with section 500.17
  - 12 months to comply with the new requirements specified in sections 500.16(e) and 500.19(a)
  - 18 months to comply with the new requirements specified in sections 500.5(a)(2), 500.7(b), 500.12(b), 500.14(a)(2), and 500.14(b)
  - 24 months to comply with the new requirements specified in section 500.13(a)

Ultimately, these changes will provide significant improvements to the safety of consumers and their sensitive information. Organizations will need to understand, with clarity, the changes and how they impact business operations and budgets. The best way to prepare is to start now and build an actionable plan with the support of senior stakeholders.