With cybersecurity threats on the rise, the New York State Department of Financial Services (NYSDFS) enhanced its DFS-500 cybersecurity regulation, which protects financial institutions’ customer information and IT systems. The initial regulation went into effect in 2017, and major updates were made in 2023.
DFS-500 requires qualifying financial institutions, referred to as “Covered Entities,” to conduct risk assessments and develop security programs and incident response plans based on the results of said assessment.
Who Is required to Comply with DFS-500
Critical Components of DFS-500 Compliance
Cybersecurity Program
Cybersecurity Policies
Penetration and Vulnerability Testing
Audit Trail
Access Privileges
Risk Assessments
Third-Party Service Providers
Multi-Factor Authentication
Encryption of Nonpublic Information
Incident Response Plan
Next Steps for Financial Institutions
A Covered Entity is “any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation, or similar authorization under the Banking Law, the Insurance Law, or the Financial Services Law.”
This includes, but is not limited to, the following institutions:
Organizations that fit any of the below criteria are considered exempt from certain requirements of the DFS-500 regulation:
There are several guidelines Covered Entities must comply with under updated DFS-500 regulations. These are considered the most critical:
Develop a cybersecurity program that is designed to identify and evaluate risks at regular intervals. This program must clearly outline the steps for detection, response and recovery in the event of a cybersecurity attack. It must also follow all reporting regulations outlined under the NYSDFS SHIELD Act. (Section 500.02)
Organizations must establish written cybersecurity policies based on the results of each risk assessment. These policies should define how the organization will maintain and protect personally identifiable information (PII) and the systems that house said data. (Section 500.03)
Annual penetration testing and bi-annual vulnerability assessments must be conducted based on the findings outlined in the risk assessment. (Section 500.05)
An audit trail for all cybersecurity events must be maintained for no less than three years. Audit trails for financial transactions must be maintained for no less than five years.
(Section 500.06)
Access to PII and the information systems that house PII should be granted on a limited basis. Access to these systems should be reviewed frequently to ensure only those that truly need access are authorized. (Section 500.07)
A risk assessment must be conducted to analyze all cybersecurity threats and the controls in place to protect the organization. It should aim to assess the “confidentiality, integrity, security, and availability of the Covered Entity’s Information Systems and Nonpublic Information.” (Section 500.09)
All third-party service providers employed by a Covered Entity must comply with the same regulations, ensuring the security of their systems and PII. (Section 500.11)
Multi-Factor Authentication, or the use of multiple methods of identity verification, is required for all accounts accessing nonpublic information. (Section 500.12)
Nonpublic information must be encrypted when in transit over external networks and while at rest. (Section 500.15)
A written incident response plan (IRP) must be developed that outlines the internal processes for responding to and recovering from a cybersecurity event. (Section 500.16)
Penalties for violating the NYSDFS Cybersecurity Regulation are not specifically identified, but would likely fall under the purview of penalties for violating the Banking Law. Those penalties include:
Covered Entities must file their Certificate of Compliance for the 2020 calendar year by April 15, 2021.
BBH is a New York City-based managed service provider that specializes in compliance for regional banks in the tri-state area and beyond. We offer compliance support either as a stand-alone service or as a part of our complete managed services offering.
We offer a complimentary gap analysis to financial institutions. Learn more and request one to see how well you comply with DFARS and other security protocols today.
* Major updates were made to the DFS 500 regulation in 2023. Read our most recent DFS 500 blog: Master the 2023 DFS 500 Regulation: BBH Solutions' Strategy for Financial Services in NYC.