With cybersecurity threats on the rise, the New York State Department of Financial Services (NYSDFS) enhanced its DFS-500 cybersecurity regulation, which protects financial institutions’ customer information and IT systems. The initial regulation went into effect in 2017, and major updates were made in 2023.
DFS-500 requires qualifying financial institutions, referred to as “Covered Entities,” to conduct risk assessments and develop security programs and incident response plans based on the results of said assessment.
Jump to:
Who Is required to Comply with DFS-500
Critical Components of DFS-500 Compliance
Cybersecurity Program
Cybersecurity Policies
Penetration and Vulnerability Testing
Audit Trail
Access Privileges
Risk Assessments
Third-Party Service Providers
Multi-Factor Authentication
Encryption of Nonpublic Information
Incident Response Plan
Next Steps for Financial Institutions
Who Is Required to Comply with DFS-500?
A Covered Entity is “any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation, or similar authorization under the Banking Law, the Insurance Law, or the Financial Services Law.”
This includes, but is not limited to, the following institutions:
- Service providers.
- Insurance companies.
- Mortgage companies.
- Foreign banks licensed to operate in the state of New York.
- Licensed lenders.
- Private banks.
- State-chartered banks.
Organizations that fit any of the below criteria are considered exempt from certain requirements of the DFS-500 regulation:
- Employ less than ten people.
- Produced less than $5 million in gross annual revenue from New York operations in each of the last three years.
- Hold less than $10 million in year-end total assets.
Critical Components of DFS-500 Compliance
There are several guidelines Covered Entities must comply with under updated DFS-500 regulations. These are considered the most critical:
Cybersecurity Program
Develop a cybersecurity program that is designed to identify and evaluate risks at regular intervals. This program must clearly outline the steps for detection, response and recovery in the event of a cybersecurity attack. It must also follow all reporting regulations outlined under the NYSDFS SHIELD Act. (Section 500.02)
Cybersecurity Policies
Organizations must establish written cybersecurity policies based on the results of each risk assessment. These policies should define how the organization will maintain and protect personally identifiable information (PII) and the systems that house said data. (Section 500.03)
Penetration and Vulnerability Testing
Annual penetration testing and bi-annual vulnerability assessments must be conducted based on the findings outlined in the risk assessment. (Section 500.05)
Audit Trail
An audit trail for all cybersecurity events must be maintained for no less than three years. Audit trails for financial transactions must be maintained for no less than five years.
(Section 500.06)
Access Privileges
Access to PII and the information systems that house PII should be granted on a limited basis. Access to these systems should be reviewed frequently to ensure only those that truly need access are authorized. (Section 500.07)
Risk Assessments
A risk assessment must be conducted to analyze all cybersecurity threats and the controls in place to protect the organization. It should aim to assess the “confidentiality, integrity, security, and availability of the Covered Entity’s Information Systems and Nonpublic Information.” (Section 500.09)
Third Party Service Providers
All third-party service providers employed by a Covered Entity must comply with the same regulations, ensuring the security of their systems and PII. (Section 500.11)
Multi-Factor Authentication
Multi-Factor Authentication, or the use of multiple methods of identity verification, is required for all accounts accessing nonpublic information. (Section 500.12)
Encryption of Nonpublic Information
Nonpublic information must be encrypted when in transit over external networks and while at rest. (Section 500.15)
Incident Response Plan
A written incident response plan (IRP) must be developed that outlines the internal processes for responding to and recovering from a cybersecurity event. (Section 500.16)
Impacts of Non-Compliance
Penalties for violating the NYSDFS Cybersecurity Regulation are not specifically identified, but would likely fall under the purview of penalties for violating the Banking Law. Those penalties include:
- $2,500 per day during which a violation continues,
- $15,000 per day in the event of any reckless or unsound practice or pattern of misconduct, or
- $75,000 per day in the event of a knowing and willful violation.
Next Steps for Financial Institutions
Covered Entities must file their Certificate of Compliance for the 2020 calendar year by April 15, 2021.
BBH is a New York City-based managed service provider that specializes in compliance for regional banks in the tri-state area and beyond. We offer compliance support either as a stand-alone service or as a part of our complete managed services offering.
We offer a complimentary gap analysis to financial institutions. Learn more and request one to see how well you comply with DFARS and other security protocols today.
* Major updates were made to the DFS 500 regulation in 2023. Read our most recent DFS 500 blog: Master the 2023 DFS 500 Regulation: BBH Solutions' Strategy for Financial Services in NYC.
