In 2016, the New York Department of Financial Services (NYDFS) proposed its groundbreaking NYDFS Cybersecurity Regulation, 23 NYCRR 500. The regulation is the first in the United States to require cyber security policies and protections from all covered financial institutions. The purpose of the regulation is to protect both the financial services industry and its consumers from the rising threat of cybercriminals and cyberattacks.

Regulation 23 NYCRR 500 provides organizations with a basic framework for developing comprehensive cyber security programs specific to their business models and risks. The framework has 23 sections dedicated to the requirements of developing and implementing a robust cyber security program. The strict cyber security rules imposed on the covered institutions will require each company to assess its risk profile and design a program that addresses its risks proactively and in a timely manner.

However, the NYDFS has created a phased implementation process for this new framework. Implementation is broken into four phases, with four separate effective dates, giving companies sufficient time to integrate stronger policies and controls in their businesses. The first and second phases went into effect on February 15, 2018, and March 1, 2018, respectively. Those who are already aligned with ISO 27001 or the NIST Cybersecurity Framework shouldn't have to make too many changes, but for others, there will be some work to be done before the next deadline (September 2018).

In this post, we’ll look at which companies are impacted by these new requirements and the four phases of implementing this landmark regulation.

The Scope of the NYDFS Cybersecurity Regulation

Regulation 23 NYCRR 500 applies to all financial institutions operating under NYDFS licensure (over 3,000 institutions) and to these institutions’ third-party service providers. Examples of these companies include:

  • State-chartered banks
  • Licensed lenders
  • Private bankers
  • Foreign banks authorized to operate in New York
  • Mortgage companies
  • Insurance companies
  • Service providers

The regulation allows a limited exemption for certain covered entities, such as:

  • Companies with less than 10 people;
  • A company that has acquired less than $5 million in gross annual revenue from NY state operations;
  • A company that alongside its affiliates has less than $10 million in end-of-year total assets; and
  • A licensed captive insurer that does not, or is not required to, control, access, receive, or store non-public information other than information related to its corporate affiliates.

Charitable and foreign risk groups operating in New York automatically receive an exemption. This list of exemptions is very short, and most financial institutions in New York need to be in alignment with the requirements of Regulation 23 NYCRR 500.

The Four Phases of Regulation 23 NYCRR 500 Implementation

Recognizing the significance of its new regulation, the NYDFS introduced a phased approach to compliance. Each phase has its own effective date, so organizations have enough time to implement each of the 23 components of the new cyber security framework.

Phase One: Implementing the Basics

Effective February 15, 2018

The first transitional phase went into effect on February 15, 2018, and required entities to design a cyber security policy, designate a Chief Information Security Officer (CISO), and establish an incident response plan, which includes a plan for breach notifications within 72 hours.

Phase Two: Establishing Reporting Procedures

Effective March 1, 2018

The second phase of implementation went into effect on the first of March, a year after the regulation was passed. At this point, the regulation required that a CISO be responsible for preparing an annual report covering an organization’s information security policies and procedures, cyber risks, and the effectiveness of its cybersecurity programs. Covered entities were also required to design and implement a cyber security program that continually tests the organization’s vulnerabilities and multi-factor authentication.

Phase Three: Developing a Cyber Security Program

Effective September 3, 2018

Eighteen months after the passing of the regulation, covered entities must have a cyber security program in place that includes:

  • An audit trail that shows the detection of and response to material cyber security events (and must keep audit trail records for 5 years);
  • Written procedures, guidelines, and standards for secure practices around in-house applications and the testing of external applications covered by the entity;
  • Data retention policies for the disposal of nonpublic personal information; and
  • The implementation of security controls, such as encryption of non-public business relations and personal information.

Phase Four: Securing Third Parties

Effective March 1, 2019

Two years after the regulation was issued, the final phase will go into effect. This phase focuses on the security of third-party service providers covered by financial institutions. A company’s third-party security policy is expected to define, at a minimum:

  • The identification and risk assessment of third parties to service providers;
  • Cyber security requirements that must be met in order to conduct business between covered entities and the third-party service providers;
  • The implementation of due diligence processes to evaluate the adequacy of cyber security practice of the service providers; and
  • Periodic assessments of third-party policies, procedures, and controls.

During this final phase, each financial institution is also required to implement written security policies to ensure the security of its information systems.

Regulation 23 NYCRR 500 is the first of its kind in the United States, pushing financial institutions to be more transparent and protective of the data they process and store in their financial systems. While many of the requirements within the regulation have been considered standard practices for some time, those who have waited to implement them will now be required to make some changes. But the New York DFS has broken down the implementation period into phases, providing sufficient time for companies to successfully carry out the requirements of the new regulation. The timeline for this state’s regulation will create a high expectation for stronger cyber security programs within the financial industry and may be a bellwether of regulations to come in other industries and states.

For an evaluation of your current cyber security program or assistance with meeting the requirements of Regulation 23 NYCRR 500, schedule a meeting with one of our experts.

Contact Us



Want to stay current with regulation changes?

Subscribe to Focal Point's Risk Rundown below - a once-a-month newsletter with templates, webinars, interesting white papers, and news you may have missed. Thousands of your colleagues and competitors have signed up! You can unsubscribe at any time.