New York State’s Department of Financial Services (DFS) recently published a proposed amendment to its cybersecurity regulation affecting New York financial institutions. Part 500 of Title 23 of the New York Codes, Rules and Regulations (23 NYCRR 500) governs cybersecurity requirements for financial services companies. When first adopted in 2017, it was the first comprehensive cybersecurity regulation from a state government to govern the financial services sector. Since then, many other states have adopted their own cybersecurity regulations. DFS’ proposed amendment to 23 NYCRR 500 is intended to keep pace with new threats and technologies through new regulatory requirements, which are explored below.
Who Does 23 NYCRR 500 Affect?
23 NYCRR 500 affects any organization operating under or required to operate under the Banking Law, Insurance Law, or Financial Services Law of New York. This includes organizations such as state-chartered banks, money services businesses, mortgage lenders and servicers, insurance companies, credit reporting agencies, and student loan servicers.
What’s in 23 NYCRR 500?
23 NYCRR 500 defines many requirements for covered entities to protect, detect, respond, and recover against cyber threats. The original 2017 regulation included requirements for implementing:
- Cybersecurity policies
- Risk assessments
- Appointed CISO
- Penetration testing and vulnerability assessments
- Application Security
- Third-party security controls
- Incident response plan
- Notification of cybersecurity events
The proposed amendment to 23 NYCRR 500 expands on or adds new requirements. The changes are intended to bring clarity to the requirements and reflect the latest best practices in cybersecurity programs. Some of the most noteworthy requirement changes include:
- Cybersecurity policies must be reviewed at least annually
- A risk assessment must be conducted at least annually
- The CISO must report to the covered entity’s senior governing body at least annually the state of the cybersecurity program or whenever major changes arise
- The senior governing body must take ownership of cybersecurity outcomes
- Annual internal and external penetration tests must occur
- Automated vulnerability scanning and timely remediation of vulnerabilities according to risk must occur
- Accounts and permissions must be provisioned according to least privilege
- Elevated privileges must only be used when needed
- Accounts must be deprovisioned as soon as they are no longer needed
- Accounts and permissions must be audited at least annually
- MFA must be implemented for anyone accessing systems, including for remote access to both internal and third party applications
- An asset inventory must be kept
- Cybersecurity training must be provided to all personnel at least annually
- Business Continuity and Disaster Recovery plans must be in place
- Restoring systems from backups must be tested at least annually
- Response and recovery plans must be tested at least annually
- Covered entities must annually notify the superintendent of the DFS whether they are in compliance with 23 NYCRR 500—and show proof that they are—or whether they are not in compliance and show that they have an action plan to get into compliance
- Class A entities (which are the largest covered entities in terms of personnel and revenue) must conduct annual independent audits at least annually and implement a Privileged Access Management (PAM) solution, a password filter, an Endpoint Detection and Response (EDR) solution, and a Security Information and Event Management (SIEM) solution
The proposed amendment to 23 NYCRR 500 is currently in a public comment period that ends August 14, 2023. Feedback can be provided on the DFS’ webpage (https://www.dfs.ny.gov/industry_guidance/cybersecurity).
How Can Sedara Help?
Sedara’s Cybersecurity Development Program can assist your organization in demonstrating compliance with 23 NYCRR 500. Trained vCISOs are experts in cybersecurity frameworks and can help you discover gaps in your cybersecurity program and create a plan of action to close those gaps and ultimately reduce your risk.
Sedara’s Security Operations Center can assist your organization in detecting and responding to threats through 24x7x365 monitoring. By utilizing Extended Detection and Response (XDR) and SIEM solutions, trained cybersecurity personnel are always monitoring your network.
Sedara’s Red Team can assist your organization is testing the strength of your security controls. Trained penetration testers can comprehensively probe your network, mimicking the tactics, techniques, and procedures of malicious actors to help you know where the weak points in your defensive security are.
More Reading on This Topic?
- Proposed amendment to 23 NYCRR 500: https://www.dfs.ny.gov/system/files/documents/2023/06/rev_rp_23a2_text_20230628.pdf
- Original 23 NYCRR 500: https://www.governor.ny.gov/sites/default/files/atoms/files/Cybersecurity_Requirements_Financial_Services_23NYCRR500.pdf