NYDFS – 23 NYCRR 500

NEW YORK STATE DEPARTMENT OF FINANCIAL SERVICES

New York State Department of Financial Services (DFS) has passed a cybersecurity regulation to protect New York State from cyber-attacks.

The regulation will require banks, insurance companies, and other financial services institutions regulated by DFS to implement and maintain a cybersecurity program to protect consumers and ensure the safety and soundness of New York State’s financial services industry. This affects Wall Street and about 1,900 companies with $2.9 trillion (USD) in assets.

The regulation requires organizations that process or hold personally identifiable information to implement adequate security measures to protect against the loss of personal data.

To comply with the regulations and rules organizations need to have the right systems in place for the security and encryption of stored data.​

These rules affect businesses within New York State. They also apply if you provide a service to these industry firms as a vendor or on a contract basis.

Summary

  • The proposal calls for organizations to encrypt sensitive data both “in transit” and “at rest”.
  • Requires organizations that process or hold personally identifiable information to implement adequate security to protect against the loss of personal data.
  • Organizations will be required to include these enhanced data encryption standards in their contracts with third party service providers. 
  • Organizations with a large numbers of service providers, as they must take steps to confirm each service provider’s adherence to the encryption requirements.
  • Encryption requirements for in-transit data must be met by January 2018, while compliance for at-rest data must be met by January 2022. However, DFS expects that, prior to those dates, organizations will secure non-public information using alternative controls that have been reviewed and approved by the Chief Information Security Officer (CISO).

Main areas to implement:

  1. Establishment of a Cybersecurity Program
  2. Adoption of a Written Cybersecurity Policy
  3. Mandatory Chief Information Security Officer
  4. Cybersecurity Training for Employees
  5. Third-Party Service Providers Risk
  6. Incident Monitoring and Reporting
  7. Information Security Audits

More in-depth information about these areas can be found HERE