NYS DFS 23 NYCRR 500 Regulations (Effective March 1, 2017) New York State Department of Financial Services, Governor Cuomo Announces Proposal of First-in-the-Nation Cybersecurity Regulation to Protect Consumers and Financial Institutions. Insurance companies and other organizations regulated by the New York State Department of Financial Services (NYDFS),effective March 1, 2017, are subject to strict and specific cybersecurity regulations as outlined below. The following table summarizes each section
of the cybersecurity regulations, which requires a DFS regulated entity (not exempted from paragraph 500.19) to perform a risk assessment and use the results of that assessment to determine the development and maintenance of its cybersecurity program.

Section Summary Compliance Period
500.02 Cybersecurity Program Implement a cybersecurity program that:

  • Identifies and assesses internal and external cyber risks
  • Uses defensive infrastructure to protect from unauthorized access, use or malicious acts
  • Detects, responds to and recovers from cybersecurity events
  • Fulfills regulatory reporting requirements
August 28, 2017
500.03 Cybersecurity Policy Maintain written cybersecurity policies and procedures, based on the entity’s risk assessment, that are approved by a Senior Officer, the Board of Directors or equivalent governing body. August 28, 2017
500.04 Chief Information Security Officer Designate a qualified individual (employee, affiliate or third party service provider) responsible for overseeing the cybersecurity program and reporting the following to the Senior Officer, Board of Directors or equivalent governing body annually:

  • Assessment of the confidentiality of nonpublic information (NPI) and the integrity and security of the entity’s information systems (IS)
  • Material cyber risks to the entity
  • Material cybersecurity events involving the entity during the reporting period
  • Assessment of the overall effectiveness of the cybersecurity program
August 28, 2017
500.05 Penetration Testing and Vulnerability Assessments Conduct monitoring and testing to assess the effectiveness of the cybersecurity program, based on the entity’s risk assessment. Continuous monitoring or periodic penetration and vulnerability assessments should be performed. If continuous monitoring,
or an equivalent control to identify changes that may create or increase vulnerabilities, is not feasible, an entity must conduct:

  • Annual penetration testing
  • Bi-annual vulnerability assessments
March 1, 2018
500.06 Audit Trail Maintain the following for no less than five years:

  • Records allowing the reconstruction of material financial transactions to support normal operations
  • Audit trails that detect and respond to cybersecurity events that are reasonably likely to materially harm material components of normal operations
Sept 3, 2018
500.07 Access Privileges User access to IS should be limited and periodically reviewed to ensure such access is appropriate. August 28, 2017
500.08 Application Security Document procedures regarding:

  • Secure development practices for internally developed software
  • Evaluating or testing the security of externally developed applications

Such documentation must be periodically reviewed by the Chief Information Security Officer (CISO) or equivalent.

Sept 3, 2018
500.09 Risk Assessment Conduct periodic risk assessments to design the cybersecurity program and address changes to the IS, NPI or business operations. The cybersecurity program should be updated, as needed, to respond to the results of the risk assessments. March 1, 2018 – Initial RA required before August 28, 2017 to define scope of program, policies and procedures
500.10 Cybersecurity Personnel and Intelligence Qualified personnel (employees, affiliates or third party services providers) must be utilized to manage, perform and oversee the entity’s cybersecurity program. Such personnel should receive cybersecurity updates and training. An entity must
verify that key cybersecurity personnel have current knowledge of cybersecurity threats and countermeasures.
August 28, 2017
500.11 Third Party Service Provider Security Policy Document policies and procedures regarding:

  • Identification, risk assessments (initial and subsequent) and selection of third party service providers
  • Cybersecurity requirements to be met by the third party service providers (should equal to or exceed the requirements imposed by the cybersecurity regulations)
  • Periodic due diligence testing over the adequacy of the cybersecurity practices of the third party services provider
March 1, 2019
500.12 Multi-Factor Authentication Establish controls to protect against unauthorized access to NPI or IS. Such controls may include multi-factor authentication, risk-based authentication or reasonably equivalent controls approved by the CISO or equivalent. March 1, 2018
500.13 Limitations on Data Retention Develop policies and procedures for the periodic, secure disposal of NPI that is no longer required for business operations or other legitimate purposes (e.g. retention is required by law or regulation). September 3, 2018
500.14 Training and Monitoring Develop policies, procedures and controls to monitor authorized user activity and detect unauthorized access to and use of NPI. Provide cybersecurity awareness training for all personnel September 3, 2018
500.15 Encryption of Nonpublic Information Implement encryption controls over NPI held and transmitted by the entity. When encryption is not feasible, the CISO or equivalent may approve alternate compensating controls. The CISO or equivalent must evaluate the feasibility of encryption
and the compensating controls no less than annually.
September 3, 2018
500.16 Incident Response Plan Implement a written incident response plan to respond to and recover from the cybersecurity events that materially affect the IS or the ability of the entity to continue its business operations. August 28, 2017
500.17 Notices to Superintendent Notify the NYDFS Superintendent within 72 hours of any cybersecurity event that has a reasonable likelihood of materially harming a material part of the entity’s normal operations or is otherwise required to be reported to a government body, self-regulatory
agency or other supervisory body. Annual certification of compliance with the cybersecurity regulation must be submitted by February 15.
First filing – February 15, 2018

 

The NYS cyber regulations can be found here.