NYDFS compliance remains a challenge for some organizations in the financial industry, with strict requirements for cybersecurity, vendor risk management, breach reporting, and limited data retention.
Among its core requirements for financial institutions are appointing a CISO, doing periodic risk assessments, maintaining a cybersecurity program that aligns with the NIST Cybersecurity Framework, and implementing third-party risk (TPRM) and fourth-party risk management programs.
The NYDFS Cybersecurity Regulation (23 NYCRR 500) is a set of regulations from the New York State Department of Financial Services (NYDFS) that places cybersecurity requirements on all financial institutions and financial services companies, deemed Covered Entities.
Its 23 sections outline requirements for developing and implementing an effective cybersecurity program, in order to assess risk and develop a plan to proactively address it.
The NYDFS Cybersecurity Regulation impacts all entities operating or required to operate under DFS licensure, registration, charter or who are otherwise DFS-regulated, as well as their third-party vendors and service providers.
Examples of covered entities include:
However, organizations who employ less than 10 people, produced less than $5 million in gross annual revenue from New York operations in each of the past three years, or hold less than $10 million in year-end total assets, are exempt.
The regulation covers many aspects of a cybersecurity program, including data breach notifications within 72 hours, best practices from ISO 27001 standards covering access controls and identity management, business continuity and disaster recovery planning, systems and network security, periodic risk assessments, and more.
In addition, CISOs need to annually report on the organization’s cybersecurity policies and procedures, risks, and performance of current security measures.
More importantly, Covered Entities have to implement vendor management policies regarding third-party vendors who are given permissions to access systems and files covered by the regulation.
Compliant vendor risk management written policies need to cover:
The 23 NYCRR 500 regulatory standards are split in 23 sections with detailed requirements. Below are some of the main provisions.
1. Cyber Security Program (Section 500.02)
2. Chief Information Security Officer (Section 500.04)
3. Penetration Testing and Vulnerability Management (Section 500.05)
4. Audit Trail (Section 500.06)
5. Risk Assessments (Section 500.09)
6. Cybersecurity Personnel and Intelligence (Section 500.10)
7. Multi-Factor Authentication (Section 500.12)
8. Training and Monitoring (Section 500.14)
9. Encryption of Nonpublic Information (500.15)
10. Annual Compliance Certification (section 500.16)
For more information, you can read the NYDFS Cybersecurity Regulation FAQs.
Companies like Take-Two Interactive, Netskope, Vertafore, Spiff, and Charles River Laboratories use ThirdPartyTrust to assess the security of their vendors, monitor and reduce third party risk, share their security posture, prevent data breaches, and monitor for vulnerabilities.
The ThirdPartyTrust third party risk management platform can minimize the amount of time your organization spends managing third-party relationships by automating vendor questionnaires and continuously monitoring your vendors’ security posture over time, while benchmarking them against security standards.
Each vendor is rated on risk, impact, and trust, among other key indicators, to provide you with a holistic view of the health of your vendor ecosystem, and help you focus on the highest risks.
Through more than 10 integrations with data providers, such as BitSight, SpyCloud, Osano, and more, ThirdPartyTrust provides additional intelligence on security and privacy ratings, breach history, and financial health. By automating your custom vendor risk management framework, you’ll be alerted if any score drops.
Ransomware is an epidemic. It is expected to cost organizations more than $256 billion over the next decade. How can security professionals in the Financial Services sector reduce the risk of becoming a victim?
This research report from BitSight and ThirdPartyTrust analyzed hundreds of ransomware attacks over the last three years to provide key findings that will help your organization avoid future incidents.
|cookielawinfo-checkbox-analytics||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".|
|cookielawinfo-checkbox-functional||11 months||The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".|
|cookielawinfo-checkbox-necessary||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".|
|cookielawinfo-checkbox-others||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.|
|cookielawinfo-checkbox-performance||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".|