NYDFS Cybersecurity Requirements for Financial Services Companies: Phase 4 Begins Now

Michael Magrath,

The New York State Department of Financial Services (NYDFS) regulates approximately 1,500 financial institutions and banks as well as over 1,400 insurance companies. With New York as the “financial capital of the world,” the vast majority of financial institutions in the U.S. fall under NYDFS regulation. In addition, many international organizations have operations in New York, and therefore also fall under NYDFS regulation. All of these banks and financial services companies must secure their assets and customer accounts against cyberattacks in compliance with the NYDFS Cybersecurity Requirements for Financial Services Companies (23 NYCRR 500). Under the regulation, banks and financial services providers must secure their own systems as well as implement third-party risk management programs.

In response to the widespread cyberattacks on U.S. financial institutions, the NYDFS enacted the cybersecurity regulation on March 1, 2017. The regulation requires financial institutions to implement specific policies and procedures to better protect user data. Given the comprehensive list of provisions in the regulation, the NYDFS provided a two-year transitional period for compliance in four phases.

Financial institutions are also required to submit a Certification of Compliance with the regulations each year. The second annual Certification of Compliance is for calendar year 2018. That was due February 15, 2019, which covers compliance with phases 1-3 below.

Four Phases of NYDFS Cybersecurity Requirements for Financial Services Companies

Phase 1 (Effective September 1, 2017)

  • Section 500.02 – Develop and maintain a cybersecurity program
  • Section 500.03 – Implement and maintain written cybersecurity policies
  • Section 500.04 – Designate a Chief Information Security Officer (CISO) to enforce the organization’s cybersecurity policies and oversee the implementation of the cybersecurity program
  • Section 500.07 – Limit user access privileges
  • Section 500.10 – Cybersecurity personnel and intelligence: Ensure the training and knowledge of current cyber threats and countermeasures
  • Section 500.16 – Produce a written incident response plan
  • Section 500.17 – Within 72 hours of a cybersecurity event, notices must be sent to the Superintendent

Phase 2 (Effective March 1, 2018)

  • Section 500.04 (b) – The CISO must report on the material cybersecurity risks and the cybersecurity program as a whole to the organization’s executive management or board of directors
  • Section 500.05 – Implement annual penetration testing and bi-annual vulnerability assessments
  • Section 500.09 – Conduct a periodic risk assessment
  • Section 500.12 – Multi-Factor Authentication (MFA)
    • Based on the risk assessment, each organization must use effective controls, which can include risk-based authentication or multi-factor authentication, in an effort to protect non-public information or information systems from unauthorized access
    • MFA must be used for any individual accessing the organization’s internal networks from an external network (the only exception is if the organization’s CISO has given written approval for the use of equivalent or more secure access controls)
  • Section 500.14 (b) – Provide cybersecurity awareness training for all personnel
Missing media item.

Phase 3 (Effective September 1, 2018)

  • Section 500.06 – Audit trails must be implemented to detect and respond to cybersecurity events, and the organization shall maintain records of transactions for no fewer than five years and records of cybersecurity events for no fewer than three years
  • Section 500.08 – Application Security: The organization’s cybersecurity program must contain documented standards, procedures, and guidelines aimed at ensuring the use of secure development practices for in-house applications and procedures to evaluate the security of applications developed by third parties
  • Section 500.13 – Implement limitations on data retention
  • Section 500.14 (a) – The organization must develop risk-based procedures, policies, and controls in an effort to monitor authorized user activity and identify unauthorized access to non-public information
  • Section 500.15 – Ensure encryption of non-public information

Phase 4 (Effective March 1, 2019): The End of the Two-year Transitional Period

According to the regulation, section 500.11, on the security policy for third-party service providers, “The organization must document written procedures and policies to ensure third-party risk management programs protect information systems and non-public information.”

Key provisions of these policies are applicable to the financial institution’s own systems, including:

  • Written policies and procedures designed to protect users from risks posed by third-party service providers
  • The identification and risk assessment of third-party service providers
  • Minimum cybersecurity practices required of third parties
  • The evaluation of third-party cybersecurity practices through due diligence
  • Periodic risk-based assessments

Additionally, policies and procedures pertaining to third-party service providers are required to include relevant guidelines for due diligence as well as contractual protections, addressing:

  • Access controls, including multi-factor authentication
  • Encryption
  • Notifications to be provided to the primary organization in response to a cybersecurity event
  • Representations and warranties for a third party’s cybersecurity policies and procedures

Implementing Phase 4 of the NYDFS Cyber Security Requirements for Financial Services Companies

Though Phase 4 must be implemented this year, it is important to point out that banks and financial institutions are not required to certify their compliance with the regulation’s third-party service provider risk management provisions until February 15, 2020.

As a customer of several New York-based financial institutions, I feel a lot better knowing that my account information is being secured with this robust regulation. The NYDFS Cybersecurity Requirements for Financial Services Companies will go a long way to protect user data from malicious attacks.

Michael Magrath is responsible for aligning OneSpan’s solution roadmap with standards and regulatory requirements globally. He is Co-Chair of the FIDO Alliance’s Government Deployment Working Group and is on the Board of Directors of the Electronic Signature and Records Association (ESRA).