Align Your Organization with the NYDFS Cybersecurity Regulation

The NYDFS Cybersecurity Regulation (23 NYCRR 500) is a set of rules designed to enforce strong cybersecurity practices and protect the assets and customer information held by financial organizations operating in the state of New York. These rules cover any organization that requires a NYDFS license to function and any third party that works with a NYDFS-covered entity.  

This includes: 

• Licensed lenders 
• Credit unions 
• Mortgage companies 
• Health insurers 
• Investment companies 
• Commercial banks 

Still, there are some financial organizations that are exempt from this regulation, including: companies with less than ten employees, organizations that made less than $5 million in gross annual revenue from New York business operations in each of the last three fiscal years and organizations that have less than $10 million in year-end total assets. 

The requirements imposed by this regulation cover both internal cybersecurity practices and third-party risk management (TPRM) policies. The internal requirements push organizations to increase transparency in their cybersecurity programs by assessing, documenting, reporting and disclosing the risks they face and the steps they take to mitigate the impact of a cyber event.  

Internal cybersecurity requirements include: 

• Risk assessments: Regularly assess internal risk to identify threats 
• Access controls: Restrict access to sensitive information 
• Recovery planning: Document plans for responding to cybersecurity attacks and breaches, including the responsible parties and required disclosures 
• Data retention documentation: Document procedures used to dispose of PII (personal identifiable information) that’s no longer necessary to do business 
• Audit trail: Record all threat detection and remediation actions and retain for five years 
• Annual reporting: Submit an annual report that includes the organization’s cybersecurity policies and procedures, its security risks and the effectiveness of its existing cybersecurity practices 
• NYDFS disclosures: Notify the NYDFS within 72 hours after you’ve detected a “material” cybersecurity event 

Still, threats to your assets don’t always begin at the internal level—after all, you have substantial control over your internal cybersecurity practices, so you can often predict where the greatest risks lie and plan accordingly. Instead, it’s common for destructive cybersecurity breaches to start at a third-party and find a way into your assets. The NYDFS regulates organizations’ third-party risk management (TPRM) policies to ensure that no apparently well-protected company lets hackers in through a vendor-related backdoor.  

TPRM requirements include: 

• Risk assessments: Regularly assess third parties for cybersecurity risk 
• Security controls: Document requirements placed on third-party service providers in order to do business together 
• Risk evaluation: Establish baseline and metrics for evaluating security practices at the third-party level 

Achieving compliance with these rules requires you to keep track of your cybersecurity and TPRM policies and to regularly produce detailed reports and disclosures. The ProcessUnity Platform consolidates risk data, policies and assessments from your cybersecurity and TPRM programs into a single database, enabling you to contact control owners and begin evidence collection quickly and easily. Additionally, the platform has configurable reporting capabilities, enabling your team to produce the reports you need in seconds.