What is NYDFS Cybersecurity Regulation (23 NYCRR 500)?
The New York Department of Financial Services (NYDFS) Cybersecurity Regulation, or 23 NYCRR 500, is a set of regulations imposed on New York’s financial institutions. Initially introduced in 2016, 23 NYCRR 500 has slowly been phased in over the last few years. New cyber threats posed by the recent COVID-19 pandemic have spurred increased focus on 23 NYCRR 500 guidance.
Does my business have to comply?
If you’re a NYDFS-regulated industry, you have to comply. Types of businesses that fall under this category are considered “Covered Entities” and include:
- Commercial banks
- Credit unions
- Foreign banks licensed in New York
- Insurance companies
- Investment companies
- Licensed lenders
- Life insurance companies
- Mortgage brokers
- Private bankers
- Savings & loan associations
If your business is regulated by NYDFS but has fewer than 10 employees, less than $5,000,000 in gross annual revenue in each of the last three fiscal years, or less than $10,000,000 in year-end total assets – you may be exempt.
How has COVID-19 impacted 23 NYCRR 500?
The NYDFS Cybersecurity Regulation reinforces basic, common sense cyber security practices that many financial institutions may already meet if they are currently complying with existing standards such as PCI DSS or SANS CSC 20. These practices are increasingly important in the face of the global COVID-19 pandemic as threats increase by the day. In fact, NYDFS recently issued Guidance to Department of Financial Services (“DFS”) Regulated Entities Regarding Cybersecurity Awareness During COVID-19 Pandemic outlining the heightened risks associated with the pandemic and steps to follow in order to remain secure.
These risks include:
- Remote workers: The increase in remote workers has introduced a number of unexpected risks for many businesses. Here are some ways to keep your dispersed staff as safe as they are when in the office:
- Employ multi-factor authentication
- Use a VPN
- If possible, ensure employees are only using well-protected company-issued devices. If not possible, establish a Bring Your Own Device (BYOD) policy to maintain security.
- Limit unauthorized access to video and audio conferencing tools
- Increased phishing & fraud attempts: Scammers often use timely schemes to dupe unsuspecting people into sharing personal information via email, mail, text message, or phone. Recently, these scams have included fake outreach from the federal government about stimulus checks, CDC, and WHO. These are some of the top signs of phishing and fraud attempts:
- Misspellings
- Vague language such as “Hello Sir or Madam”
- A sense of urgency (Call me back immediately or you’ll miss out!”)
- Threats
- Third party vendors: Any vendor you use is also vulnerable to these increased threats. Confirm that they’re taking proper precautions to protect their business and yours.
What are the NYDFS requirements?
The list below includes some of the practices and safeguards that Covered Entities must implement:
- Establish a written cyber security policy
- Periodic risk assessments
- Maintain an audit trail for 5 years
- Develop data retention policies
- Limit access privileges
- Create an incident response plan
- Provide notice within 72-hours after a cyber security event has occurred
How can ADKtechs help my business comply?
Our Cyber Tough security services can help your business establish and maintain compliance:
- Written information security policy
- Compliance portal
- On-demand cyber security training
- Engaging employee training videos
- Employee compliance testing
- Phishing attack simulations
- Risk assessments
- Vulnerability assessments
- Dark web breach assessments
- Penetration testing
- Audit trails
- Backup, incident response, & disaster recovery
- Email & whole disk encryption
- Spam filtering
- Asset tracking
- Mobile device management
- Endpoint protection
- Remote monitoring & management
- Web content filtering
- Access privileges
- Data retention policies
- + more