Research shows the rate of breaches on the financial services sector tripled over the past five years.* After all, this is literally where the money is.
This makes financial institutions a target-rich environment for cybercriminals, since they offer multiple avenues for profit such as extortion, theft, and fraud. Beyond the obvious motivation of financial gain, nation-states and hacktivists also target the financial sector for political and ideological reasons.
As a response to the ever-growing threat posed to information and financial systems, the NY Department of Financial Services (NYDFS) has issued the NYDFS Cybersecurity Regulation (23 NYCRR 500), a relatively new set of regulations that places cybersecurity requirements on all covered financial institutions.
The requirement aims to protect DFS regulated entities as well as New York consumers whose private information may be revealed and/or stolen.
The NYDFS Cybersecurity Regulation covers any organization, including nonresident licensees, that is regulated by the New York Department of Financial Services. This includes:
The regulation requires covered entities to assess their cybersecurity risk profile and implement and maintain a comprehensive cybersecurity program that recognizes and mitigates that risk and in accordance with a specific compliance time line.
A covered entity is defined as “any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.”
In the 23 NYCRR 500, the NYDFS communicates a strong sense of urgency for financial institutions to create a cybersecurity program:
“It is critical for all regulated institutions that have not yet done so to move swiftly and urgently to adopt a cybersecurity program and for all regulated entities to be subject to minimum standards with respect to their programs. The number of cyber events has been steadily increasing and estimates of potential risk to our financial services industry are stark. Adoption of the program outlined in these regulations is a priority for New York State.”
The 23 NYCRR 500 mandate requires several minimum standards including:
Sword & Shield partners with you to achieve NYDFS compliance. We take the stress off you by helping to make sense of the new NYDFS requirements and how they apply to your business. Our security experts help you to identify your risks and vulnerabilities, develop a remediation plan, and continue to work with you to maintain or improve your 23 NYCRR 500 compliance.
*2018 “Cost of Cyber Crime Study” published by Accenture and the Ponemon Institute
Request a Free 23 NYCRR 500 Certification Consultation