Research shows the rate of breaches on the financial services sector tripled over the past five years.* After all, this is literally where the money is.
This makes financial institutions a target-rich environment for cybercriminals, since they offer multiple avenues for profit such as extortion, theft, and fraud. Beyond the obvious motivation of financial gain, nation-states and hacktivists also target the financial sector for political and ideological reasons.
As a response to the ever-growing threat posed to information and financial systems, the New York Department of Financial Services (NYDFS) has issued the NYDFS Cybersecurity Regulation (23 NYCRR 500). This is a relatively new set of regulations that places cybersecurity requirements on all covered financial institutions.
The requirement aims to protect DFS regulated entities as well as New York consumers whose private information may be revealed and/or stolen in cybersecurity events.
The NYDFS Cybersecurity Regulation covers any organization, including nonresident licensees, that is regulated by the New York Department of Financial Services. This includes:
The regulation requires covered entities to assess their cybersecurity risk profile and implement and maintain a comprehensive cybersecurity program that recognizes and mitigates that risk and in accordance with a specific compliance time line.
A covered entity is defined as “any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.”
This cybersecurity program should be aligned to the NIST Cybersecurity Framework (CSF) core functions:
In addition, the NYDFS Cybersecurity Regulation specifies requirements beyond those of the CSF, including protecting nonpublic information.
In the 23 NYCRR 500, the NYDFS communicates a strong sense of urgency for financial institutions to create a cybersecurity program:
“It is critical for all regulated institutions that have not yet done so to move swiftly and urgently to adopt a cybersecurity program and for all regulated entities to be subject to minimum standards with respect to their programs. The number of cyber events has been steadily increasing and estimates of potential risk to our financial services industry are stark. Adoption of the program outlined in these regulations is a priority for New York State.”
The 23 NYCRR 500 mandate requires several minimum standards including:
The European Union’s (EU) General Data Protection Regulation (GDPR) and NYDFS share a common goal; to protect consumer personally identifiable information (PII) that can be used to identify an individual.
Many GDPR and NYDFS regulations overlap. These include requirements for the following:
The consumer privacy regulation space has become fragmented. Determining which regulations your organization must comply with and how to do so can be difficult. US companies that must adhere to both frameworks benefit from mapping their compliance to fulfill common requirements and avoid duplicated effort.
Sword & Shield offers third party NYDFS cyber risk consulting services. We partner with you to identify and remediate gaps to achieve NYDFS compliance.
Sword & Shield takes the stress off you by helping to make sense of the new NYDFS requirements and how they apply to your business. Our security experts help you to identify your risks and vulnerabilities, develop a remediation plan, and continue to work with you to maintain or improve your 23 NYCRR 500 compliance.
*2018 “Cost of Cyber Crime Study” published by Accenture and the Ponemon Institute
Request a Free 23 NYCRR 500 Certification Consultation