NYDFS Cybersecurity Regulation Complete Guide

Anwita

Anwita

Sep 17, 2024

Guide to the NYDFS Cybersecurity Regulation

On November 1, 2023, governor Kathy Hochul announced that the New York State Department of Financial Services had drafted the NYDFS Cybersecurity Regulation. Aimed at protecting New York-based businesses and their customers from cyber threats, these regulations are designed using a combination of risk based approaches with better governance and robust access controls. 

If you are a covered entity, you must understand the nitty gritties of compliance with this law. Read on to know about its requirements, step-wise compliance process, and the faster way to comply.

TL;DR

DFS-regulated entities in New York or “covered entities”, meaning financial service providers who are regulated by the Department of Financial Services, need to adhere to the NYDFS regulation. This blog covers how you can go about it, including determining if you need to comply, exemptions, submitting notices, tips on automating compliance, and more.  

NYDFS requirements include a security program, policies, governance program, vulnerabilities, audit trail, superintendent notification, etc. 

 NYDFS requirements include a security program, policies, governance program, vulnerabilities, audit trail, superintendent notification, etc. 

What is the NYDFS Cybersecurity Regulation?

The New York Department of Financial Services (NYDFS) Cybersecurity Regulation, establishes security requirements for financial services providers operating in New York. It requires DFS-regulated entities to evaluate their risk profile and develop a plan to minimize them systematically. 

NYDFS Cybersecurity Regulation was developed by the state’s Department of Financial Services (DFS), the regulation aims to curb the threats posed to information and financial systems by malicious actors and terrorist organizations. 

It came into effect on March 1, 2017 after the DFS was concerned by the impact cybercriminals can have on entities and privacy of their customers. Today, it helps firms to develop and proactively manage security programs.  

“This regulation helps ensure that  the financial services organizations in the industry fulfill its obligation to safeguard consumers and ensure that its systems are sufficiently constructed to avert cyber-attacks to the fullest extent possible” –  Governor Andrew Mark Cuomo, former U.S government official

Who does it apply to?

NYDFS Cybersecurity Regulation applies to all “covered entities”, who are essentially businesses regulated by the DFS. According to the DFS, the term covered entities refers to “anyone operating under a license, charter, registration, certificate, permit, accreditation, or equivalent authorization”. To break this down, this definition includes all

  • State chartered banks
  • Licensed lenders
  • Private bankers
  • Foreign banks licensed to operate in NY
  • Insurance companies
  • Service providers 

In short, any business that operates within New York’s financial sector, you must be NYDFS complaint. 

The authorization should be under the Banking Law, Financial Services Law, Insurance Law and apply even if the covered entity is already regulated by another government regulation.  

How to become compliant with NYDFS Cybersecurity Regulation?

The DFS developed a guide to help DFS-regulated individuals and small businesses comply with this regulation. Here are the 4 steps to become NYDFS cybersecurity compliant:

1. Determine the applicability and exemption

If you are licensed or regulated by the DFS, you have to comply with NYDFS, as we discussed in the eligibility criteria. However, many brokers and small businesses are exempt from the regulation. For example, three sections mention full exemption – 500.19 (b), 500.19 (e), and 500.19 (g).

500.19 (b) exempts employees, agents, fully owned subsidiaries, covered entity representatives from developing a separate cybersecurity program.

500.19 (e) exempts inactive individual insurance brokers who do not process or access nonpublic information, or have aided in selling a policy, or taking out insurance on another individual’s behalf.

500.19 (g) exempts individuals (who otherwise don’t qualify as a covered entity) and must be a:

  • Charitable annuity society
  • Risk retention group that is not chartered in New York
  • Accredited or certified insurer
  • Inactive insurance agents 

In some cases, entities are partially exempt from NYDFS compliance. These include:

  • Entities with lesser than 20 employees
  • Less than $7,500,000 in gross annual revenue in last three fiscal years
  • Less than $15,000,000 in year-end total assets
  • Entities who don’t directly control, maintain, access, process, generate, or receive nonpublic information are exempt from complying with the requirements of section 500.4, 500.5, 500.6, 500.8, 500.10, 500.14(a)(1), (a)(2), and (b), 500.15 and 500.16 

2. Notify the superintendent if you qualify for an exemption

To set your records right, you need to submit a notice of exemption via the DFS portal. Note that these notices are valid till their termination; you don’t have to submit one every year. 

However, if a full exemption applies to your business as per section 500.19 (b), (e), or (g), it is recommended to check your exemption status on an annual basis. 

Similarly, if you qualify for a partial exemption as per section 500.19(a), (c), or (d), you have to evaluate if this exemption still applies to your business while submitting the Certification of Material Compliance or Acknowledgment of Noncompliance. 

3. Determine which sections apply to you

Once you know the exemptions, determine which sections you have to comply with. For example:

  • If you are exempt from sections 500.19(a) (1), (2), or (3), 500.2, 500.3, 500.7, 500.9, 500.11, 500.13, and 500.17 still apply to you.
  • If you are exempt from section 500.19(c) or (d), complying with sections 500.9, 500.11, 500.13, and 500.17 is still mandatory
  • If a partial exemption applies to you, it is mandatory to submit a Certification of Material Compliance or an Acknowledgment of Noncompliance every year as per section 500.17. The deadline for the same is April 15. 

From November 2024, you have to comply with additional requirements of sections 500.12 and 500.14(a)(3) dealing with MFA and training and awareness programs, respectively. 

4. Comply with the applicable sections

Once you have established which sections apply to you, take the right steps to comply with the requirements or applicable sections.  

One way to ensure NYDFS compliance is by using a toolkit developed by the Global Cyber Alliance (GCA). The toolkit comprises free worksheets, guidance, resources, training materials, sample policies, and more resources. While this method works just fine, it is time consuming, complicated for beginners and it is prone to errors as it heavily relies on manual efforts. 

Complying with NYDFS’s requirements is easier when using an end-to-end compliance automation platform like Sprinto. This smart tool consolidates everything you need into a single dashboard. 

  • Third party risk management: Automate vendor discovery and risk management process throughout its lifecycle based on the vendor type, nature of the relationship, and data access level. Get a real-time window into vulnerabilities through automated checks on controls, time-bound alerts, and integration with all popular scanning tools. 
  • Policy center: Access a library of pre-built and customizable policies, track policy versions from one place, and put policy acknowledgment on autopilot. Get ready-to-deploy policies, centralized policy versions, and automated policy acknowledgment. Transform your policy processes from restrictive to dynamic by keeping policy management active and well-documented. Relieve your infosec team from the strain of manual, error-prone policy management. 
  • Risk assessment: Scope out security risk across assets and processes, score risks based on its impact using industry benchmarks, determine the right treatment, and ensure active risk management from a single place of truth. Collect, manage, and update key information like risk scores, impact likelihood, risk owners, controls, and treatment plans all in one place. Centralize your risk management by continuously consolidating risks and controls across your cloud, assessing severity, and ensuring active risk management from a single source of truth 
  • Seamless compliance with NYDFS: Use a highly connected compliance program that continuously monitors controls, identifies anomalies, collects auditor-friendly evidence, and triggers alerts in real time
  • Access control: Manage access to information systems and nonpublic information using a system that maps users to critical systems based on roles, risks, and policies. The responsive integration facilitates easy management of the employee life cycle from onboarding to offboarding. It notifies teams of instances of unauthorized access and maintains detailed access logs. 
  • Custom training modules: Launch compliance aligned security programs using Sprinto’s built in training modules that integrate with leading trainers and offer centralized tracking and automated systems to capture evidence of completion. 
  • Automated evidence collection: Maintains an accurate and detailed audit trail that is powered by responsive integrations and rule-based workflows. Saves it in a central repository in an audit friendly manner. 

Breaking Down NYDFS Cybersecurity Regulation Requirements

The NYDFS Cybersecurity Regulations are a set of requirements aimed at enhancing the cybersecurity of financial services companies operating under its jurisdiction.

If you fall under the NYDFS regulation, familiarize yourself with these requirements: 

500.2 Implement a robust cybersecurity program

This is your starting line or the base for building resilience. As a covered entity, you must create and maintain a cybersecurity program to protect the confidentiality, integrity, and availability of information systems.  The program should be based on risk factors, include security policies, be equipped to detect and respond to security breaches, recover from an incident, and meet regulations.   

NYDFS is not a complex or comprehensive regulation. The requirements cover all security best practices mandated by all popular frameworks like GDPR, ISO 27001, and SOC 2. If your business has to comply with multiple frameworks, using a compliance automation tool like Sprinto helps to map all common controls and reduce duplicate work. See Sprinto in action

500.3 Develop a cybersecurity policy

Security policies are your guidelines and guardrails around protecting information assets.

500.3 of NYDFS requires entities to create and implement policies to protect its information systems and the data stored in such systems. Once you get these approved by a senior officer or governing body, develop and implement processes around these policies. Apart from risk assessment, take these into consideration while drafting your policies: 

  • Information security 
  • Business continuity and recovery plan
  • System operations and availability
  • Security training and awareness
  • Development and quality assurance of system and application security
  • Physical and environmental controls
  • Customer data privacy
  • Third party risk management

500.4 Develop a cybersecurity governance program

Security governance is the framework for managing, monitoring, and mitigating risks to information security. Organizations with large and complex infrastructures often appoint a Chief Information Security Officer (CISOs) to oversee these processes. 

As per 500.4, entities must designate an in-house CISO or hire a third party service provider. If the CISO is an external consultant, you have to ensure they comply with this section, appoint an individual to manage the service providers, and maintain a security program aligned with 500.4. 

The second part of this section requires CEs to write a report to the senior governing body covering aspects of the cybersecurity program that includes:

  • Confidentiality of the non-public information
  • Integrity and security of your information systems
  • Policies and procedures
  • Material security risks
  • Effectiveness of your security program
  • History of security breaches 
  • Remediation plans
  • Changes in the security program 

Apart from designating and reporting, your governing body is responsible for overseeing activities related to risk management, such as receiving management reports, ensuring adequate resource allocation, and maintaining an effective security program. 

500.5 Minimize breaches through vulnerability management

Security vulnerabilities include non-authorized systems, poorly configured applications, and non-encrypted data. 

NYDFS requires entities to minimize the exploitation of security gaps by developing and implementing policies and procedures to manage vulnerabilities. The scope should cover: 

  • Penetration testing of information systems at least once a year 
  • Automated scanning of information systems. Manually scan systems that cannot be covered by automation. 
  • A monitoring process to detect new vulnerabilities and notify the right person
  • A process to prioritize and remediate vulnerabilities on time 

500.6. Maintain an audit trail

Maintaining detailed audit trails is key to ensure accountability, transparency, and a critical piece to conduct investigations in the event of a breach. 

500.6 covers the entity’s auditing responsibilities. Based on the findings of your risk assessment, implement a system to capture financial transactions and maintain it for at least five years. 

The second part of this section requires you to capture audit trails to detect and mitigate security risks, the record of which should be maintained for three years. 

500.7 Access privileges and management

One of the most widely adopted security best practices, limiting access to a system based on the individual’s role minimizes the possibility of data leakage. 

This practice is required by section 500.7 which mandates that covered entities should:

  • Limit access to information systems containing nonpublic information to the those necessary to perform their duties
  • Limit the number of privileged accounts to cases only when such access is needed to perform an action
  • Review and update the privileges periodically, disable remote access to devices, and revoke access after an employee exists
  • Develop and implement a password policy as per industry standards
  • Monitor access logs and use an automated system that blocks common password used across multiple systems

500.8 Ensure application security

Consolidating several other requirements under the NYDFS Cybersecurity Regulation, 500.8 has two requirements. 

As per the first sub part, entities must develop policies, procedures, and guidelines to protect the development of in-house applications. Secondly, these processes and procedures should be reviewed and updated by the CISO or an equivalent qualified role on an annual basis. 

500.9 Conduct risk assessment

Periodic risk evaluation is common to all security frameworks like ISO 27001, HIPAA, NIST CFS, and NYDFS is no exception. 

500.9 states that covered entities should periodically assess the risks to their information systems.  Review and update at least once a year or to accommodate new changes. The assessment should be flexible to revise the controls to keep up with technological developments and evolving threats. 

The policies and procedures for the risk assessment should include the:

  • Criteria for evaluating the identified risks
  • Criteria for assessing the CIA (confidentiality, integrity, availability) of the information systems
  • The process detailing how the risks will be mitigated or accepted 

500.11 Develop a third-party service provider security policy

In 2021, MedData, a healthcare service provider faced a lawsuit after an employee uploaded sensitive patient data to a public server. They agreed to pay a settlement of $7 million for the damages. This is one of the many incidents that highlights the importance of evaluating the risks of third party service providers. 

NYDFS requires entities to implement a third-party service provider security policy to protect information accessed by third parties. This should include: 

  • Risk assessment of third-party service providers
  • Baseline security practices that third parties should meet
  • Due diligence processes to evaluate the existing security practices of third parties
  • Periodic assessment of risks posed by third-party service providers
  • Guidelines for due diligence, such as access control procedures, use of MFA, encryption implementation, and incident notification 

500.12 Implement multi-factor authentication

Part of the access privilege management, multi factor authentication adds a layer of security to prevent unauthorized users from tampering or stealing sensitive data. 

As a covered entity, implement MFA in all information systems. This includes remote access to in house information systems, third party applications, and all privileged accounts. 

500.14 Encrypt nonpublic information

According to a research conducted by Sophos, 66% of organizations faced a ransomware attack. Encryption is the one of the best ways to prevent a ransomware attack. 

Your cybersecurity program’s policy includes encryption requirements as per industry standards. If you cannot encrypt nonpublic information, use an equally effective compensating control. 

500.16 Develop an incident response and business continuity management program

If an attack succeeds in contaminating your system, the inevitable results are operational disruptions, loss of confidential data, financial loss, and more. This makes incident response and business continuity a critical component of the security architecture. 

NYDFS 500.16 requires covered entities to develop policies that detail remediation and investigation measures to ensure no disruptions to operational resilience, business continuity, and recovery. Your policies should cover:

  • Goals and processes of the response plan
  • Definition of roles, responsibilities, and decision making
  • Process for internal and external communication
  • Requirements to remediate security gaps in information systems and controls
  • Reporting and documentation of incidents and response activities
  • Data recovery from backups and review of response plans
  • Investigation and impact of incidents, and prevention plans for recurrence

This section also requires entities to design their business continuity and disaster recovery (BCDR) plan in a way that ensures the availability and functionality of the information systems. Here’s what to include in your plan: 

  • Identified data, documents, services, infrastructure, and other essential components
  • Individuals responsible for executing each part of the BCDR plan
  • Communication plan to share information during a breach event with individuals responsible for a part of the plan
  • Process to recover critical information and resume business operations to normal
  • Identified third parties necessary for continuing business operations

500.18 Ensure data confidentiality

The aim of all security controls boils down to one goal: confidentiality. NYDFS outlines conditions under which information a covered entity shares is protected from disclosure. This includes banking, insurance, financial, public, and other applicable state or federal laws.

Bring your own framework wit Sprinto and comply with new regulations without extra effort

Sprinto’s BYOF (bring your own framework) feature supports any compliance regulation, even the custom ones. You can not just set up, run and manage a framework, but map all common controls to add new regulations and comply with its requirements without any duplicate effort. So each time regulatory bodies come up with a new regulation like the NYDFS, you have to do minimal ground work to be able to comply. 

Sprinto’s magic mapping feature automatically and accurately maps control to checks to eliminate the hassle of manual selection. You get customized suggestions on checks based on specific criteria and frameworks. Streamline your monitoring process and increase efficiency by avoiding tedious manual check selection. 

How Sprinto helps scale compliance?

Want to see Sprinto in action? Get a demo to learn how we can help you.

FAQs

What are the penalties for non-compliance with NYDFS Cybersecurity Regulation?

DFS-regulated individuals or covered entities can be fined up to $1,000 for each case of violation under New York’s Financial Services Law and Insurance Law. 

What are the latest changes in the NYDFS Cybersecurity Regulation?

In the updated regulation, data retention period was reduced from five to three years, added new exemptions that include the gross annual revenue, and clarified when covered entities must notify events to the NYDFS. 

What does “continuous monitoring” mean in NYCRR 500.5?

Continuous monitoring refers to a program that is equipped to detect changes or anomalous behavior that may put information systems at risk or indicate the existence of vulnerabilities. 

Anwita

Anwita

Anwita is a cybersecurity enthusiast and veteran blogger all rolled into one. Her love for everything cybersecurity started her journey into the world compliance. With multiple certifications on cybersecurity under her belt, she aims to simplify complex security related topics for all audiences. She loves to read nonfiction, listen to progressive rock, and watches sitcoms on the weekends.

How useful was this post?

4/5 - (1 votes)

Found this interesting?
Share it with your friends

Get a wingman for
your next audit.

Schedule a personalized demo and scale business