October 2017 - New York Enacts Cybersecurity Requirements for Financial Services Companies
As we've previously discussed, the New York Department of Financial Services proposed a new regulation on the cybersecurity procedures of the financial industry. On March 1, 2017, 23 NYCRR 500 Cybersecurity Requirements for Financial Services Companies was enacted. The regulation requires banks, insurance companies and other financial institutions regulated by the State Department of Financial Services to establish and maintain a cybersecurity program. It is important to note this regulation does not apply to nationally chartered institutions.
This regulation, like other federal (HIPAA) and state regulations (Massachusetts Security Regulation) is in response to the growing financial systems and data threats posed by nation-states, terrorist organizations and independent criminal actors. The financial services industry has been a significant target of cybersecurity threats and in this writer’s opinion will continue to be.
In summary, 23 NYCRR 500 NYS-regulated financial institutions, referred to as Covered Entities must:
- Establish a Cybersecurity Program.
- Adopt a Cybersecurity Policy.
- Name a Chief Information Security Officer.
- Ensure the security of any third-party service providers who have access to the covered entity’s financial systems and/or data.
- Establishment and adoption of a cybersecurity policy and program include the performance of risk assessments, employee training, penetration testing and access privilege reviews to name a few. The focus on 23 NYCRR 500 is on implementing a preventive and reactive policy that can quickly recover should a security incident occur.
- March 1, 2017—23 NYCRR Part 500 becomes effective.
- August 28, 2017—180-day transitional period ends. Covered Entities are required to be in compliance with requirements of 23 NYCRR Part 500 unless otherwise specified.
- September 27, 2017—Initial 30-day period for filing Notices of Exemption under 23 NYCRR 500. 19(e) ends. Covered Entities that have determined that they qualify for a limited exemption under 23 NYCRR 500. 19(a)-(d) as of August 28, 2017, are required to file a Notice of Exemption on or prior to this date.
- February 15, 2018—Covered Entities are required to submit the first certification under 23 NYCRR 500. 17(b) on or prior to this date.
- March 1, 2018—One-year transitional period ends. Covered Entities are required to be in compliance with the requirements of sections 500. 04(b), 500. 05, 500. 09, 500. 12 and 500. 14(b) of 23 NYCRR Part 500.
- September 3, 2018—Eighteen-month transitional period ends. Covered Entities are required to be in compliance with the requirements of sections 500. 06, 500. 08, 500. 13, 500. 14(a) and 500. 15 of 23 NYCRR Part 500.
- March 1, 2019—Two-year transitional period ends. Covered Entities are required to be in compliance with the requirements of 23 NYCRR 500. 11.
According to the NYS Department of Financial Services website, key dates under New York’s Cybersecurity Regulation (23 NYCRR Part 500) are as follows:
Whether you’re a NYS regulated financial institution or not, companies with a current information security plan, policies and procedures should update their policies to reflect these requirements. Any company that does not currently have an information security plan, policies or procedures should be proactive and use 23 NYCRR 500 as your guide to create your plan.
The financial industry is the most regulated from a cybersecurity standpoint because they have the highest likelihood of being targeted by hackers. By creating your company’s information security system based on the requirements and guidelines outlined in this regulation, you have established a sound information security plan.
John G. Roman, Jr. CISSP
September 8, 2017