Maintaining a secure workplace has increased in complexity each year as our reliance on technology is integrated into our everyday work lives. Add in the Covid years of remote work, and you have even more exposure. The New York Department of Financial Services (NYDFS) first addressed the need for financial services companies to establish cybersecurity policies and procedures in March 2017. These requirements, 23 NYCRR Part 500 (referred to as “Part 500” or “the Cybersecurity Regulation”) were recently updated to address the significant changes in the cybersecurity landscape that has occurred in the last six years.
New York State is taking an aggressive approach to protecting New York’s critical infrastructure, personal information, and digital assets from malicious actors.
As a result, Part 500 was amended again, effective November 1, 2023 and requires an in-depth review of a company’s current policies and procedures to take place to ensure compliance with the newly updated rules and policies. There are multiple implementation dates, so it is incumbent on the company to establish an appropriate plan to implement.
Who is covered?
The New York DFS Requirement applies to all entities operating under or required to operate under DFS licensure, registration, or charter, or which are otherwise DFS-regulated, as well as, by extension, unregulated third-party service providers to regulated entities. Examples of covered entities include:
- State-chartered banks
- Licensed lenders
- Private bankers
- Foreign banks licensed to operate in New York
- Mortgage companies
- Insurance companies
- Service providers
- Money transmitters
The Part 500 Requirements are risk-based and identify different types of companies and their corresponding requirements. There remain some provisions for exemptions, but the request to be exempt needs to be submitted and approved by DFS, and they are very limited.
The Cybersecurity regulation implemented with the Part 500 amendments focuses the need for the Chief Information Security Officer (CISO) and the Chief Compliance Officer (CCO) to collaborate more and not operate in separate silos. It is essential for the CISO to understand the tools that compliance uses to set reg-flags, handle reporting and work remotely. These are all windows that can leave the organization vulnerable to attack.
The Cybersecurity program must incorporate the following key components:
- Identify all cybersecurity threats, both internal and external.
- Employ defense infrastructure to protect against those threats.
- Use a system to detect cybersecurity events.
- Respond to all detected cybersecurity events.
- Work to recover from each cybersecurity event.
- Fulfill various requirements for regulatory reporting.
Example Control: Multi-Factor Authentication (MFA), Section 500.12
The updated requirements note that based on its Risk Assessment, each Covered Entity must use effective controls, which may include MFA or risk-based authentication, to protect against unauthorized access to Nonpublic Information or Information Systems. Effective November 1, 2025, a Covered Entity must use MFA for any individual accessing the Covered Entity’s internal networks from an external network, unless the Covered Entity’s CISO has approved in writing the use of equivalent or more secure access controls.
As you can see the updated regulations require an in-depth review and plan by both the CISO and CCO as there are multiple dates of implementation, changes to operating procedures and new reporting periods for security breaches.
New York’s regulations are by far the most rigorous of the states within the Money Transmission licensing space, but they establish a standard that other states may follow. Taking the time to review and ensure applicability across all product lines now may save not just time but money as others move forward.
State Regulations:
The Conference of State Bank Supervisors (CSBS) has resources for state licensees that provide insights into areas that are reviewed by state regulators in the exam process.
The Baseline Nonbank Cybersecurity Exam Program and the Enhanced Nonbank Cybersecurity Exam Program are tools used by state examiners nationwide to assess the cyber preparedness of nonbank entities. The tools provide companies with the ability to improve their cybersecurity posture and better prepare for cybersecurity exams conducted by state examiners.
Another tool available to licensees is the Ransomware Self-Assessment Tool | CSBS.
The resources assist at implementing a risk-based cybersecurity program. Using tools from the regulator helps ensure that everyone has the same understanding.
Merging the CISO and CCO roles is critical in the payments process to ensure the protection of a company’s assets and consumers.