Due to the growing threat posed by nation-states, terrorist organizations, and cybercriminals, the New York Department of Financial Services (NYDFS) enacted 23 NYCRR 500, a groundbreaking set of cybersecurity regulations. Until the adoption of 23 NYCRR 500, financial services companies were not subject to cybersecurity-specific mandates.
What is 23 NYCRR 500?
23 NYCRR 500, which applies to NYDFS-supervised financial institutions operating in New York, aims to ensure that financial institutions under the department's supervision protect their information systems and customer data from attack.
The regulation requires covered entities to evaluate the effectiveness of their cybersecurity programs against the risks they face. Specifically, the regulation “requires each company to assess its specific risk profile and design a program that addresses its risks in a robust fashion." Furthermore, the regulation requires senior management to file an annual certification that details the institution's compliance efforts.
While the regulation has been in force for several years, the NYDFS pursued its first enforcement action in July 2020. Subsequent actions will undoubtedly follow.
Who Must Comply With the 23 NYCRR 500 Regulation?
The regulation casts a wide net to include insured depository institutions, credit unions, and check cashiers. It also applies to insurance companies, trust companies, mortgage brokers, and branches of overseas banks.
However, there are some exemptions. Organizations that employ fewer than 10 employees don't have to comply, nor do those that generate less than $5 million in revenue for three years. Organizations that own less than $10 million in assets are also exempt.
What Functions Must a Compliant Cybersecurity Program Include?
Based on the covered entity's assessment of risk, a cybersecurity program should include the following core elements:
- Identification and assessment of internal and external cybersecurity risks related to nonpublic information stored within the entity's information systems.
- Defensive infrastructure coupled with policies and procedures designed to safeguard the entity's information systems and nonpublic data from unauthorized access or malicious activity.
- Detection of cybersecurity-related events.
- Identification or detection of threats, and the ability to mitigate their impact.
- Recovery capabilities from an incident, as well as mechanisms to return to normal operating conditions.
- Ability to satisfy regulatory reporting requirements.
The regulation also stipulates what constitutes an acceptable cybersecurity policy:
- A covered entity must maintain a written policy, which a senior officer or the board of directors approves.
- The entity should derive its cybersecurity policy from the results of its risk assessment, making sure to address certain areas, including the entity's information security, data governance and classification, asset inventory and device management, and access controls and identity management.
- The policy should detail the entity's business continuity and disaster recovery planning and resources, systems operations and availability, and systems and network security. For a complete list of what areas to cover, see 500.3 Cybersecurity policy.
Key Provisions of 23 NYCRR 500
Here's a brief overview of the regulation. You can find the entire regulation here.
Penetration Testing and Vulnerability Assessments (500.05)
Financial institutions must perform annual penetration testing of their information systems. These tests must rely on risks identified through a formal risk assessment process (see section 500.09 below).
Section 500.05 also requires "bi-annual vulnerability assessments" to identify "publicly known cybersecurity vulnerabilities." This ensures that any changes made to information systems that might create or be symptomatic of a vulnerability are verified to be secure.
Continuous threat and risk monitoring, which can be provided through a security operations center (SOC) or SOC-as-a-service, is an acceptable alternative to these periodic assessments.
Risk Assessment (500.09)
Under Section 500.9, the design of an organization's cybersecurity program must be guided by periodic, formal, and documented risk assessments of its information systems. The entity should update the assessment following any changes that involve the entity's information systems, nonpublic information, or business operations.
Once cybersecurity risks are identified, policies and procedures that address those risks must be created, recorded, monitored, and enforced.
Risk assessments are crucial when tailoring security policies to an organization's particular operations. Rather than prescribing blanket policies, the onus is on the institutions to do their own due diligence and identify risks unique to their organization. This allows for the deployment of a custom-built cybersecurity program to mitigate the risks an entity faces.
Multi-Factor Authentication (500.12)
Financial institutions must implement effective security controls to protect nonpublic information from potential exposure. These controls may include multi-factor authentication or risk-based authentication as indicated through risk assessment.
Section 500.12 specifies that any access to a financial institution's internal network from an outside network must be guarded with multi-factor authentication.
Training and Monitoring (500.14)
With regard to training and monitoring, Section 500.14 stipulates that financial institutions must establish “risk-based policies, procedures and controls" that monitor authorized user behavior and actively detect unauthorized access or manipulation of nonpublic information (e.g., personally identifiable information such as names, addresses, and Social Security numbers).
Organizations must also provide periodic security training for employees, based on the risks identified via the institution's risk assessment.
How Arctic Wolf Helps You Achieve Compliance
To adhere to 23 NYCRR 500, financial institutions must make compliance a top priority. The challenge many institutions face is coming up with the necessary resources and expertise to adequately address all the requirements, and especially those pertaining to vulnerability assessments, risk monitoring, and user activity monitoring.
On the bright side, Section 500.4 of the regulation allows for qualified third-party service providers to manage risks and oversee a covered entity's cybersecurity function. Some security partners, like Arctic Wolf, can help you maintain compliance with all of the above provisions.
Arctic Wolf delivers industry-leading security operations solutions that help covered entities comply with 23 NYCRR 500. Through continuous monitoring, we help hundreds of financial institutions proactively monitor their environment.
Our highly trained security experts work as an extension of your team to deliver security operations as a concierge service, which includes 24/7 monitoring, detection, and response to ensure compliance with the growing number of laws and regulations covering financial services.