The New York State Department of Financial Services (“DFS”) has been closely monitoring the ever-growing threat posed to information and financial systems by nation-states, terrorist organizations and independent criminal actors. Recently, cybercriminals have sought to exploit technological vulnerabilities to gain access to sensitive electronic data.

NYCRR 500 is a regulatory compliance standard that regulates the Financial Services Industry (FSI) in New York. This regulation mandates each institution have a cyber security program, Chief Information Security Officer (CISO), access controls, asset management, data governance, software development practices, annual certification of their compliance, and more.

NYCRR 500 requires that banks, insurance companies, and other financial services institutions regulated by DFS to establish and maintain a cybersecurity program designed to protect consumers and ensure the safety and soundness of New York State’s financial services industry.

The key date to keep in mind is September 1, 2017: that date marks the end of the 180 day period to comply with the guidelines set forth in 23 NYCRR 500.

The key elements of the proposal are as follows, and a summary of these elements can be found here:

  • Establishment of a Cybersecurity Program to include:
    • Adoption of a written Cybersecurity Policy
    • Identify and assess internal and external Cybersecurity risks that may threaten the security or integrity of data stored in an organization’s IT systems.
    • Use defensive infrastructure and implementation of policies and procedures to protect the IT systems from unauthorized access or malicious acts.
    • Detect cybersecurity events.
    • Respond to identified or detected Cybersecurity events to mitigate any negative effects.
    • Recover from Cybersecurity Events and restore normal operations and services.
    • Fulfill applicable regulatory reporting requirements.
  • Mandatory Chief Information Security Officer
  • Cybersecurity Training for Employees
  • Third-Party Service Providers Risk
  • Incident Monitoring and Reporting
  • Information Security Audits

Providing the ability to generate alerts when cybersecurity events are detected.