NYDFS compliance remains a challenge for some organizations in the financial industry, with strict requirements for cybersecurity, vendor risk management, breach reporting, and limited data retention.
Among its core requirements for financial institutions are appointing a CISO, doing periodic risk assessments, maintaining a cybersecurity program that aligns with the NIST Cybersecurity Framework, and implementing third-party risk (TPRM) and fourth-party risk management programs.
What is the NYDFS Cybersecurity Regulation?
The NYDFS Cybersecurity Regulation (23 NYCRR 500) is a set of regulations from the New York State Department of Financial Services (NYDFS) that places cybersecurity requirements on all financial institutions and financial services companies, deemed Covered Entities.
Its 23 sections outline requirements for developing and implementing an effective cybersecurity program, in order to assess risk and develop a plan to proactively address it.
What types of organizations are Covered Entities?
The NYDFS Cybersecurity Regulation impacts all entities operating or required to operate under DFS licensure, registration, charter or who are otherwise DFS-regulated, as well as their third-party vendors and service providers.
Examples of covered entities include:
- Credit unions
- Mortgage brokers
- Insurance providers
- Commercial banks
- Private bankers
- Licensed lenders
- Foreign banks licensed to operate in New York
However, organizations who employ less than 10 people, produced less than $5 million in gross annual revenue from New York operations in each of the past three years, or hold less than $10 million in year-end total assets, are exempt.
NYDFS Cybersecurity Regulation and Third Party Risk Management
The regulation covers many aspects of a cybersecurity program, including data breach notifications within 72 hours, best practices from ISO 27001 standards covering access controls and identity management, business continuity and disaster recovery planning, systems and network security, periodic risk assessments, and more.
In addition, CISOs need to annually report on the organization’s cybersecurity policies and procedures, risks, and performance of current security measures.
More importantly, Covered Entities have to implement vendor management policies regarding third-party vendors who are given permissions to access systems and files covered by the regulation.
Read More: Third-Party Risk Management for Financial Services Organizations
Compliant vendor risk management written policies need to cover:
- A vendor risk assessment questionnaire template and due diligence process to evaluate the effectiveness of a third-party’s security posture
- Minimum security requirements for third-party vendors, i.e, SOC 2 assurance
- Penetration testing
- Periodic assessment of third-party policies and controls
- Qualified cybersecurity professionals to manage risk and provide mandatory, ongoing cybersecurity training
- Use of the principle of least privilege to reduce the risk of privilege escalation attacks
- Use of multi-factor authentication for all inbound connections to an organization’s network
- Notification of any cybersecurity event that could cause material harm, i.e. a data breach
NYDFS Compliance Checklist
The 23 NYCRR 500 regulatory standards are split in 23 sections with detailed requirements. Below are some of the main provisions.
1. Cyber Security Program (Section 500.02)
2. Chief Information Security Officer (Section 500.04)
3. Penetration Testing and Vulnerability Management (Section 500.05)
4. Audit Trail (Section 500.06)
5. Risk Assessments (Section 500.09)
6. Cybersecurity Personnel and Intelligence (Section 500.10)
7. Multi-Factor Authentication (Section 500.12)
8. Training and Monitoring (Section 500.14)
9. Encryption of Nonpublic Information (500.15)
10. Annual Compliance Certification (section 500.16)
For more information, you can read the NYDFS Cybersecurity Regulation FAQs.
How ThirdPartyTrust Can Improve Security and Compliance Across Your Supply Chain
Companies like Take-Two Interactive, Netskope, Vertafore, Spiff, and Charles River Laboratories use ThirdPartyTrust to assess the security of their vendors, monitor and reduce third party risk, share their security posture, prevent data breaches, and monitor for vulnerabilities.
The ThirdPartyTrust third party risk management platform can minimize the amount of time your organization spends managing third-party relationships by automating vendor questionnaires and continuously monitoring your vendors’ security posture over time, while benchmarking them against security standards.
Read More: How To Make Vendor Risk Management Easier and More Efficient
Each vendor is rated on risk, impact, and trust, among other key indicators, to provide you with a holistic view of the health of your vendor ecosystem, and help you focus on the highest risks.
Through more than 10 integrations with data providers, such as BitSight, SpyCloud, Osano, and more, ThirdPartyTrust provides additional intelligence on security and privacy ratings, breach history, and financial health. By automating your custom vendor risk management framework, you’ll be alerted if any score drops.
Book a demo of the ThirdPartyTrust TPRM platform today.
Ransomware in the Financial Sector
Ransomware is an epidemic. It is expected to cost organizations more than $256 billion over the next decade. How can security professionals in the Financial Services sector reduce the risk of becoming a victim?
This research report from BitSight and ThirdPartyTrust analyzed hundreds of ransomware attacks over the last three years to provide key findings that will help your organization avoid future incidents.
