Demystifying NY DFS NYCRR Part 500

16 NYCRR Part 500 Requirements -- icons sourced from icons8.com

Keeping customer data safe is more critical than ever, especially for financial companies. New York State has taken a big step to ensure this safety through a set of rules known as New York Codes, Rules and Regulations (NYCRR) Part 500. These rules, introduced by the New York State Department of Financial Services (NYDFS) in March 2017 and most recently updated in November, 2023 are designed to make sure financial services firms in New York keep their information systems and the private data they handle secure. This blog post breaks down what NYCRR Part 500 means, who it applies to, why it’s important, and how financial firms can become compliant.

Add Your Heading Text Here

There are 16 sections to NYCRR Part 500, the 15 on the graphic above plus 500.01 which has definitions for each of the other sections. NYCRR Part 500 sets the standard for cybersecurity within New York’s financial sector. It applies to banks, insurance companies, and other financial services firms, requiring them to have solid cybersecurity practices in place. Here’s a quick overview of what these firms need to do:

 
  • 500.2: Cybersecurity Program: Establish and maintain a cybersecurity program designed to protect the integrity, confidentiality, and availability of the information systems.

  • 500.3: Cybersecurity Policy: Implement and maintain a written policy or policies, approved by a senior officer or the board of directors, that set forth the company’s policies and procedures for the protection of its information systems and nonpublic information.

  • 500.4: Chief Information Security Officer (CISO): Designate a qualified individual to serve as the CISO responsible for overseeing and implementing the cybersecurity program and enforcing its policy.

  • 500.5: Penetration Testing and Vulnerability Assessments: Conduct periodic penetration testing and bi-annual vulnerability assessments to identify and mitigate risks to the information systems.

  • 500.6: Audit Trail: Maintain systems that, to the extent applicable, are designed to reconstruct material financial transactions sufficient to support normal operations and obligations of the covered entity; and include audit trails designed to detect and respond to cybersecurity events.

  • 500.7: Access Privileges: Limit user access privileges to information systems that provide access to nonpublic information and periodically review such access privileges.

  • 500.8: Application Security: Implement written procedures, guidelines, and standards designed to ensure the security of applications developed in-house and externally developed applications used by the covered entity.

  • 500.9: Risk Assessment: Conduct periodic risk assessments of the covered entity’s information systems to inform the design of the cybersecurity program.

  • 500.10: Cybersecurity Personnel and Intelligence: Employ sufficient cybersecurity personnel to manage the covered entity’s cybersecurity risks and to perform the core cybersecurity functions. Provide cybersecurity personnel with cybersecurity updates and training.

  • 500.11: Third-Party Service Provider Security Policy: Implement written policies and procedures designed to ensure the security of information systems and nonpublic information that are accessible to, or held by, third-party service providers.

  • 500.12: Multi-Factor Authentication: Use multi-factor authentication or risk-based authentication to protect against unauthorized access to nonpublic information or information systems.

  • 500.13: Limitations on Data Retention: Implement policies and procedures for the secure disposal of nonpublic information that is no longer necessary for business operations or for other legitimate business purposes.

  • 500.14: Training and Monitoring: Implement risk-based policies, procedures, and controls designed to monitor the activity of authorized users and detect unauthorized access or use of, or tampering with, nonpublic information by such authorized users.

  • 500.15: Encryption of Nonpublic Information: Encrypt all nonpublic information held or transmitted by the covered entity both in transit over external networks and at rest, to the extent feasible.

  • 500.16: Incident Response Plan: Establish a written incident response plan designed to promptly respond to, and recover from, any cybersecurity event that affects the confidentiality, integrity, or availability of the covered entity’s information systems or the nonpublic information stored on those systems.

 

NYCRR Part 500 also requires that you “notify the Superintendent of any cybersecurity event that has a reasonable likelihood of materially harming any material part of the normal operations of the covered entity within 72 hours from determination of the event.” In other words, if you are the victim of a successful cyberattack, you must make the NY DFS Superintendent aware of the attack within 72 hours.

Who does NYCRR Part 500 Apply to?

Part 500 applies to all entities and individuals chartered, licensed, or approved to operate in New York state by DFS under Banking, Insurance, and Financial Services Laws. In the regulation, they are called Covered Entities or CEs, so we’ll use that language here.
 
Covered Entities range from small brokers to the largest and most complex international banking and insurance entities and include:
  • Insurance companies, producers, agents, and brokers
  • Banks, trusts, and foreign bank branches
  • Mortgage banks, brokers, and lenders
  • Money transmitters, check cashers, and other non-depository financial institutions.

What are the Types of Covered Entities?

 

Class A

Exempt

Standard

  • Must comply with all requirements

  • Limited or fully exempt organizations

  • Must Comply with most requirements.

  • Most covered entities are in this category. 

 

The class that your organization falls into is calculated based on your organization and its affiliates. Affiliates “are organizations that share information systems, cybersecurity resources, or any part of the security program with the covered entity.” The qualification criteria for each class are listed below and are listed in order. Meaning, as you read through this list, as soon as you find criteria that apply to your business, you’ll know your class. In other words, if you have over $1B in annual revenue, you’ll qualify as a Class A company, irrespective of how many employees you have.

 

Class A Companies are companies that:

 

Have at least $20 million in gross annual revenue in each of the last two years from ALL business operations of the Covered Entity and the New York business operations of its Affiliates, and EITHER:

 
  • More than 2,000 employees averaged over the last two years, including employees of both the Covered Entity and all Affiliates no matter where located, or

  • Over $1 billion in gross annual revenue in each of the last two years from ALL business operations of the Covered Entity and all Affiliates no matter where located.

 

Exempt Companies are companies that fall into one of the following two subclasses:

 

Fully Exempt:

  • Wholly owned subsidiaries covered by the cybersecurity program of another Covered Entity.

  • Inactive individual insurance brokers (for 1+ years) who do not otherwise qualify as a Covered Entity.

  • Inactive individual insurance agents and individual Mortgage Loan Originators.

  • Reciprocal jurisdiction reinsurers recognized pursuant to 11 NYCRR Part 125. 

 

Limited Exemption:

  • Entities that do not have information systems and do not maintain Nonpublic Information (NPI).

  • Captive insurance companies (Covered Entities under Article 70 of the Insurance Law) that do not have, and are not required to maintain, NPI.

  • Small businesses that can meet any of the below thresholds:

    • 20 employees and independent contractors including those of its Affiliates.

    • $7.5 million in gross annual revenue including revenue from the New York business operations of Affiliates.

    • $15 million in year-end total assets including those of its Affiliates.

 

Standard Companies are companies that:

 
  • Covered Entities that do not qualify for full or limited exemptions or as Class A Companies, will be referred to for this training as “Standard” Companies

  • Standard companies must comply with most, but not all, requirements in the amended regulation.

 

Why was NYCRR Part 500 Updated in November 2023?

The regulation was updated to reflect the significant changes in the cybersecurity landscape since 2017:

  • Threat actors have become more sophisticated and prevalent.

  • Cyber-attacks have become easier to perpetrate (e.g., via ransomware as a service).

  • Cyber-attacks have become more expensive to remediate.

  • More and better controls are available to manage cyber risk at reasonable cost.

The amended regulation incorporates current best practices to better protect businesses, consumers, and their data from these emerging cyber threats.

 

What is the Implementation Timeline?

The timeline is different based on what kind of business classification you are. 

What's Next?

The enhanced NYCRR Part 500 regulations mark a pivotal shift towards fortifying the cybersecurity framework within New York’s financial sector. As cyber threats evolve in complexity and scale, the updated rules serve not only as a mandate but as a guiding beacon for financial institutions striving to safeguard sensitive customer data and maintain the integrity of their information systems. Compliance with these regulations is not merely about adhering to legal requirements; it is a proactive step towards building trust with customers, enhancing the resilience of the financial infrastructure against cyber threats, and ultimately, securing the financial well-being of both the institutions and the individuals they serve.

 

For financial companies, staying ahead in the cybersecurity arms race requires a commitment to ongoing vigilance, investment in advanced security measures, and fostering a culture of cybersecurity awareness throughout the organization. By embracing the principles outlined in NYCRR Part 500, financial institutions can navigate the complex cybersecurity landscape with confidence, ensuring they are well-equipped to respond to and recover from cyber incidents, while also meeting the high standards of protection expected by regulators, customers, and the broader community.

 

The journey to compliance with NYCRR Part 500 offers an opportunity for financial entities to reassess their cybersecurity posture, identify gaps in their defenses, and implement robust security measures that will stand the test of time. As the digital age continues to advance, the commitment to cybersecurity excellence will remain a key differentiator for financial institutions, underscoring their dedication to customer protection, operational resilience, and the safeguarding of the financial system at large.

 
Organizations who are struggling with their compliance journey can leverage Blacksmith to put their security program in full swing. By deploying a security robust security program including Policies, Risk Management, User Training, and a security roadmap you can get ahead of the regulation timelines and more quickly have peace of mind that you’ll be able to attest to full compliance with NY DFS NYCRR Part 500.

Ready to start forging trust with your clients?

Schedule a quick demo of Blacksmith to learn how MSPs are using it to monetize compliance and protect their end-users.