New York State Department of Financial Service Part 500

The New York State Department of Financial Service 23 NYCRR 500, also known as “Cybersecurity Requirements for Financial Services Companies,” took effect March 1, 2017.

“The New York State Department of Financial Services (DFS or NYSDFS) ¹ is the department of the New York state government responsible for regulating financial services and products, including those subject to the New York insurance, banking, and financial services laws.” The Department supervises over 4000 entities whose assets are over US$6 trillion. DFS supervises all types of banks, insurance companies, and those associated with the banking and insurance sector. Types of businesses this includes but is not limited to are: state-chartered banks, trust companies, insurance, reinsurance, and insurance brokerage companies, insurance adjusters, bail bond agents, service contractors, budget planners, charitable foundations, check cashing businesses, investment companies, mortgage bankers and brokers, private equity premium finance agencies, private bankers, savings banks, and savings and loans, to name a few. Broker dealers are not in scope as of this writing.

As per the law ² : NYS DFS has been closely monitoring the ever-growing threat posed to information and financial systems by nation-states, terrorist organizations, and independent criminal actors. Cybercriminals are exploiting technological vulnerabilities to gain access to sensitive digital data and can cause significant financial losses for DFS regulated entities, and New York consumers whose private information may be revealed and/or stolen for illicit purposes. The bottom line is that NYS financial institutions are critical infrastructure and must be protected as fully as possible.

The financial services industry is the top target of cybercriminals. Some financial services companies have proactively increased their cybersecurity programs to reduce cyber risk. However, in order to stabilize the financial economy, DFS has decided to set cybersecurity regulatory minimum standards to ensure all firms are taking their cybersecurity seriously.

DFS does not prescribe a control assessment framework like the PCI. The regulation is crafted to promote the protection of customer information and digital assets of regulated entities. The regulation requires each company to do a risk assessment that aligns with their cyber risk maturity and risk profile. Based on the results, firms need to design a cyber risk program that reduces cyber risk to acceptable levels. The executive has the fiduciary duty to protect the digital assets and is responsible for the organization's cybersecurity program.

Firms must appoint a CISO. The CISO is the person responsible to manage the cybersecurity program. CISOs must file an annual certification confirming compliance with NYS DFS 23 NYCRR Part 500 regulations. The cybersecurity program must ensure that minimum standards are met with respect to their cybersecurity programs.