NYS DFS 23 NYCRR 500 Regulations (Effective March 1, 2017) New York State Department of Financial Services, Governor Cuomo Announces Proposal of First-in-the-Nation Cybersecurity Regulation to Protect Consumers and Financial Institutions. Insurance companies and other organizations regulated by the New York State Department of Financial Services (NYDFS),effective March 1, 2017, are subject to strict and specific cybersecurity regulations as outlined below. The following table summarizes each section
of the cybersecurity regulations, which requires a DFS regulated entity (not exempted from paragraph 500.19) to perform a risk assessment and use the results of that assessment to determine the development and maintenance of its cybersecurity program.
|500.02 Cybersecurity Program||Implement a cybersecurity program that:
||August 28, 2017|
|500.03 Cybersecurity Policy||Maintain written cybersecurity policies and procedures, based on the entity’s risk assessment, that are approved by a Senior Officer, the Board of Directors or equivalent governing body.||August 28, 2017|
|500.04 Chief Information Security Officer||Designate a qualified individual (employee, affiliate or third party service provider) responsible for overseeing the cybersecurity program and reporting the following to the Senior Officer, Board of Directors or equivalent governing body annually:
||August 28, 2017|
|500.05 Penetration Testing and Vulnerability Assessments||Conduct monitoring and testing to assess the effectiveness of the cybersecurity program, based on the entity’s risk assessment. Continuous monitoring or periodic penetration and vulnerability assessments should be performed. If continuous monitoring,
or an equivalent control to identify changes that may create or increase vulnerabilities, is not feasible, an entity must conduct:
|March 1, 2018|
|500.06 Audit Trail||Maintain the following for no less than five years:
||Sept 3, 2018|
|500.07 Access Privileges||User access to IS should be limited and periodically reviewed to ensure such access is appropriate.||August 28, 2017|
|500.08 Application Security||Document procedures regarding:
Such documentation must be periodically reviewed by the Chief Information Security Officer (CISO) or equivalent.
|Sept 3, 2018|
|500.09 Risk Assessment||Conduct periodic risk assessments to design the cybersecurity program and address changes to the IS, NPI or business operations. The cybersecurity program should be updated, as needed, to respond to the results of the risk assessments.||March 1, 2018 – Initial RA required before August 28, 2017 to define scope of program, policies and procedures|
|500.10 Cybersecurity Personnel and Intelligence||Qualified personnel (employees, affiliates or third party services providers) must be utilized to manage, perform and oversee the entity’s cybersecurity program. Such personnel should receive cybersecurity updates and training. An entity must
verify that key cybersecurity personnel have current knowledge of cybersecurity threats and countermeasures.
|August 28, 2017|
|500.11 Third Party Service Provider Security Policy||Document policies and procedures regarding:
||March 1, 2019|
|500.12 Multi-Factor Authentication||Establish controls to protect against unauthorized access to NPI or IS. Such controls may include multi-factor authentication, risk-based authentication or reasonably equivalent controls approved by the CISO or equivalent.||March 1, 2018|
|500.13 Limitations on Data Retention||Develop policies and procedures for the periodic, secure disposal of NPI that is no longer required for business operations or other legitimate purposes (e.g. retention is required by law or regulation).||September 3, 2018|
|500.14 Training and Monitoring||Develop policies, procedures and controls to monitor authorized user activity and detect unauthorized access to and use of NPI. Provide cybersecurity awareness training for all personnel||September 3, 2018|
|500.15 Encryption of Nonpublic Information||Implement encryption controls over NPI held and transmitted by the entity. When encryption is not feasible, the CISO or equivalent may approve alternate compensating controls. The CISO or equivalent must evaluate the feasibility of encryption
and the compensating controls no less than annually.
|September 3, 2018|
|500.16 Incident Response Plan||Implement a written incident response plan to respond to and recover from the cybersecurity events that materially affect the IS or the ability of the entity to continue its business operations.||August 28, 2017|
|500.17 Notices to Superintendent||Notify the NYDFS Superintendent within 72 hours of any cybersecurity event that has a reasonable likelihood of materially harming a material part of the entity’s normal operations or is otherwise required to be reported to a government body, self-regulatory
agency or other supervisory body. Annual certification of compliance with the cybersecurity regulation must be submitted by February 15.
|First filing – February 15, 2018|
The NYS cyber regulations can be found here.