Updated: 11/02/2017
A New Standard, 23 NYCRR 500
New York State is implementing broad-reaching regulations to protect its financial institutions. Titled “Cybersecurity Requirements for Financial Services Companies”, this set of regulations builds on NIST 800-53 to require institutions to implement security best practices. Specific only to financial institutions at this time, the Department of Financial Services is setting a precedent that other sectors can follow in the future.
So, who must comply with 23 NYCRR 500? Currently, any large institution supervised by the New York State Department of Financial Services. This comprises many of the world’s leading financial institutions—from insurance companies, banks and charitable foundations, to mortgage brokers. Not included are institutions with fewer than 10 employees, less than $5 million in gross revenue in the last three years, or less than $10 million in year-end total assets. These institutions must instead file a Notice of Exemption with NYDFS.
Why implement these new regulations? Simply put, consumers are protected when financial institutions are vigilant in securing their data. NYCRR is also acting as a guide to other states and institutions looking to stay ahead of the curve.
NuHarbor Can Help
A 300-person insurance company in New England used outmoded systems that unknowingly put their company and clients at risk. A new Technology Officer utilized 23 NYCRR 500 as an example of potential future regulations that the company did not currently meet. NuHarbor Security delivered a suite of integrated services:
NIST Controls Assessment measured the current environment to align it with current frameworks.
External Pen Testing revealed potential attack vectors that the client remediated.
Risk Assessment helped develop policies and procedures for the...
Risk Management Program that NuHarbor developed.
Vendor Management assesses each service provider’s security poise.
Not One Size Fits All
There is no “cookie-cutter” approach to security. Each institution needs a unique organizational structure designed to ensure confidentiality, integrity, and availability of data. Prior to publication of these new rules, the New York State Department of Financial Services researched over 150 companies’ current security methodology. This research resulted in five core principles for the new regulations:
Establishment of a Cybersecurity Program
Adoption of security policy and procedure
Role of CISO (Chief Information Security Officer)
Monitoring Third-Party Service Providers
Additional items relating to security best practice
Implementation of these core principles is set as a “certain regulatory minimum standard while maintaining flexibility so that the final rule does not limit industry innovation and instead encourages firms to keep pace with technological advances.”
A first draft of this legislation was released in September of 2016. It has since gone through a public comment period, and an updated version was published on December 28, 2016. The latest version requires compliance beginning March 1, 2017. There is some flexibility with the revised regulations, but many institutions will find that implementation has a steep learning curve.
We are pleased to help break down these regulations specifically to your needs. Some of the regulations are best outsourced to professionals while others are best implemented and overseen in-house.
Crital Dates:
(from NYDFS http://www.dfs.ny.gov/about/cybersecurity.htm)
March 1, 2017
23 NYCRR Part 500 becomes effective.
August 28, 2017
180 day transitional period ends. Covered Entities are required to be in compliance with requirements of 23 NYCRR Part 500 unless otherwise specified.
October 30, 2017
Extended deadline for filing Notice of Exemption required by 23 NYCRR 500.19(e)
February 15, 2018
Covered Entities are required to submit the first certification under 23 NYCRR 500.17(b) on or prior to this date.
March 1, 2018
One year transitional period ends. Covered Entities are required to be in compliance with the requirements of sections 500.04(b), 500.05, 500.09, 500.12 and 500.14(b) of 23 NYCRR Part 500.
September 3, 2018
Eighteen month transitional period ends. Covered Entities are required to be in compliance with the requirements of sections 500.06, 500.08, 500.13, 500.14(a) and 500.15 of 23 NYCRR Part 500.
March 1, 2019
Two year transitional period ends. Covered Entities are required to be in compliance with the requirements of 23 NYCRR 500.11. New York.
