Align Your Organization with the NYDFS Cybersecurity Regulation

2 minute read

June 2023

by Julia Winer

The NYDFS Cybersecurity Regulation (23 NYCRR 500) is a set of rules designed to enforce strong cybersecurity practices and protect the assets and customer information held by financial organizations operating in the state of New York. These rules cover any organization that requires a NYDFS license to function and any third party that works with a NYDFS-covered entity.  

This includes: 

  • Licensed lenders 
  • Credit unions 
  • Mortgage companies 
  • Health insurers 
  • Investment companies 
  • Commercial banks 

Still, there are some financial organizations that are exempt from this regulation, including: companies with less than ten employees, organizations that made less than $5 million in gross annual revenue from New York business operations in each of the last three fiscal years and organizations that have less than $10 million in year-end total assets. 

The requirements imposed by this regulation cover both internal cybersecurity practices and third-party risk management (TPRM) policies. The internal requirements push organizations to increase transparency in their cybersecurity programs by assessing, documenting, reporting and disclosing the risks they face and the steps they take to mitigate the impact of a cyber event.  

Internal cybersecurity requirements include: 

  • Risk assessments: Regularly assess internal risk to identify threats 
  • Access controls: Restrict access to sensitive information 
  • Recovery planning: Document plans for responding to cybersecurity attacks and breaches, including the responsible parties and required disclosures 
  • Data retention documentation: Document procedures used to dispose of PII (personal identifiable information) that’s no longer necessary to do business 
  • Audit trail: Record all threat detection and remediation actions and retain for five years 
  • Annual reporting: Submit an annual report that includes the organization’s cybersecurity policies and procedures, its security risks and the effectiveness of its existing cybersecurity practices 
  • NYDFS disclosures: Notify the NYDFS within 72 hours after you’ve detected a “material” cybersecurity event 

Still, threats to your assets don’t always begin at the internal level—after all, you have substantial control over your internal cybersecurity practices, so you can often predict where the greatest risks lie and plan accordingly. Instead, it’s common for destructive cybersecurity breaches to start at a third-party and find a way into your assets. The NYDFS regulates organizations’ third-party risk management (TPRM) policies to ensure that no apparently well-protected company lets hackers in through a vendor-related backdoor.  

TPRM requirements include: 

  • Risk assessments: Regularly assess third parties for cybersecurity risk 
  • Security controls: Document requirements placed on third-party service providers in order to do business together 
  • Risk evaluation: Establish baseline and metrics for evaluating security practices at the third-party level 

Achieving compliance with these rules requires you to keep track of your cybersecurity and TPRM policies and to regularly produce detailed reports and disclosures. The ProcessUnity Platform consolidates risk data, policies and assessments from your cybersecurity and TPRM programs into a single database, enabling you to contact control owners and begin evidence collection quickly and easily. Additionally, the platform has configurable reporting capabilities, enabling your team to produce the reports you need in seconds. 

Related Articles

About Us

ProcessUnity is a leading provider of cloud-based applications for risk and compliance management. The company’s software as a service (SaaS) platform gives organizations the control to assess, measure, and mitigate risk and to ensure the optimal performance of key business processes. ProcessUnity’s flagship solution, ProcessUnity Vendor Risk Management, protects companies and their brands by reducing risks from third-party vendors and suppliers. ProcessUnity helps customers effectively and efficiently assess and monitor both new and existing vendors – from initial due diligence and onboarding through termination. Headquartered outside of Boston, Massachusetts, ProcessUnity is used by the world’s leading financial service firms and commercial enterprises. For more information, visit www.processunity.com.