New York DFS – 23 NYCRR 500 Compliance

Checklist for Compliance

In response to the increasing threats of cybercriminal activity and as an effort to protect Non-Public Information (NPI)
held by entities under its jurisdiction, the New York State Department of Financial Services (DFS) implemented a cybersecurity
regulation, 23 NYCRR 500. It has twenty-three Sections and went into effect on March 1, 2017. There are
designated “Transition Periods,” but the last one expires on March 1, 2019. A few key things to consider when looking
at this Regulation:

• It applies to Covered Entities, which include those operating under NY Banking Law, Insurance Law, or Financial
  Services Law – see next page.
• It is specifically about protecting Non-Public Information; social security numbers, drivers’ license numbers,
  financial accounts, biometric records, health record, and other personal information.
• Third Parties that provide services to Covered Entities will indirectly be pulled into some type of compliance.
  See Section 500.11.

The Good News

Some may not agree that any of the regulation is good, but the requirements align with many security best practices.
For the most part, DFS is not asking for many things out of the ordinary (besides reporting and retention), and if you
comply, you will be implementing layers of protection for your company.

What to Do

1. Check the Exemptions – see next page.
2. Assess Your Risk. This supports other requirements and your decisions for prioritizing other efforts.
   1. Perform a Risk Assessment.
   2. Perform Vulnerability Assessments.
   3. Perform a Penetration Test.
3. Establish a Security Program prioritized by risk. This will require effort and time. NIST has many available resources to assist.
   1. Establish a Chief Information Security Officer(CISO). Can be internal or external staff.
   2. Implement Policies to cover required areas -see page 3.
   3. Ensure you have qualified staff. Disciplines of Security are different than IT. You may need to hire or train.
4. Develop an Incident Response Plan that includes notices to Superintendent. Requires 72-hour notice. There is additional guidance on the FAQ page.
5. Ensure that your security program addresses the following requirements (prioritized by risk):
   1. Multi-Factor Authentication
   2. Encryption of NPI
   3. Security Auditing. This typically requires a new system or Managed Security Service.
   4. Review of access privileges to NPI
6. Develop Vendor and Third Party Risk Management Program. You will need to rank your vendors and ensure that you perform due diligence on those with higher risks.
7. Develop a Data Retention Policy and Process. The Superintendent requires 5 years of records for compliance. Be familiar with other required retention periods for different types of data.
8. Annual Certification. Submit by each February 15th a written statement covering the prior calendar year.

Covered Entities

The Department of Financial Services supervises many different types of institutions. Supervision by DFS may entail chartering, licensing, registration requirements, examination, etc. More details are available on their website:

• All insurance companies
• Banks Trust Companies
• Budget Planners
• Charitable Foundations
• Check Cashers
• Consumer Credit Reporting Agencies
• Credit Unions
• Domestic Representative Offices
• Foreign Agencies
• Foreign Bank Branches
• Foreign Representative Offices
• Holding Companies
• Investment Companies (Article XII)
• Licensed Lenders
• Life Insurance Companies
• Money Transmitters
• Mortgage Bankers
• Mortgage Bankers-Exempt
• Mortgage Brokers
• Mortgage Brokers – Inactive
• Mortgage Loan Originators
• Safe Deposit Companies
• Sales Finance Companies
• Savings Banks; Savings & Loan Associations (S&L)
• Service Contract Providers

Exemptions

[fusion_table]

[/fusion_table]

23 NYCRR 500 Sections

Section 500.00 Introduction
Section 500.01 Definitions
Section 500.02 Cybersecurity Program
Section 500.03 Cybersecurity Policy.
(a) information security
(b) data governance and classification
(c) asset inventory and device management
(d) access controls and identity management
(e) business continuity and disaster recovery
(f) systems operations and availability concerns
(g) systems and network security
(h) systems and network monitoring
(i) systems and application development and
quality assurance
(j) physical security and environmental controls
(k) customer data privacy
(l) Third Party Service Provider management
(m) risk assessment
(n) incident response
Section 500.04 Chief Information Security Officer
Section 500.05 Penetration Testing and Vulnerability Assessments
Section 500.06 Audit Trail
Section 500.07 Access Privileges
Section 500.09 Risk Assessment
Section 500.10 Cybersecurity Personnel and Intelligence
Section 500.11 Third Party Service Provider Security Policy
Section 500.12 Multi-Factor Authentication
Section 500.13 Limitations on Data Retention
Section 500.14 Training and Monitoring
Section 500.15 Encryption of Nonpublic Information
Section 500.16 Incident Response Plan
Section 500.17 Notices to Superintendent
Section 500.18 Confidentiality
Section 500.19 Exemptions
Section 500.20 Enforcement
Section 500.21 Effective Date
Section 500.22 Transitional Periods
Section 500.23 Severability