New York’s Cybersecurity Regulations: What Financial Services Companies Need to Know

The cybersecurity regulations outlined in Part 500 of the New York State Financial Law (23 NYCRR 500) set a new standard for cybersecurity in the financial sector.

The regulations outlined in Part 500 of the New York State Financial Law apply to all entities operating under or required to operate under a license, registration, charter, certificate, permit, accreditation, or similar authorization under the Banking Law, the Insurance Law, or the Financial Services Law in New York State.

What Are the Key Requirements of 23 NYCCRR 500?

Cybersecurity Programme

Each Covered Entity must maintain a comprehensive cybersecurity programme designed to protect the confidentiality, integrity, and availability of its information systems.

An organisation can achieve this requirement by implementing one of the many available frameworks used worldwide.

ISO27001:2022 is a global standard that provides a comprehensive framework for the management of an organisations information security with the implementation of an Information Security Management System (ISMS). Organisations can then use their ISMS to effectively manage risk assessment, security controls, policy development, monitoring of company objectives and continuous improvement.

The National Institute of Standards and Technology (NIST) have also developed a Cybersecurity Framework (CSF) that helps organisations identify, assess and manage cyber security risks to their organisation. The NIST CSF is managed through five areas: Identify (assets, data, employees), Protect (control access, encrypt data, patching management) Detect (logging & monitoring of access, devices, software), Respond (incident response, disaster recovery) and Recover (Repair and restore after an incident).

Cybersecurity Policy

A written policy, approved by a Senior Officer or the board of directors, must be implemented and regularly reviewed to ensure adherence to organisational policies and regulatory requirements.

The NIST CSF defines a cybersecurity policy as a high-level policy that is created to support and enforce the organisations approach to cybersecurity by specifying in detail what information is to be protected from anticipated threats and how that protection is to be achieved.

The cybersecurity policy should be tailored to cover the organisations security topics such as access control, risk management, data protection and incident management. Additionally, the document should identify key roles and responsibilities for cybersecurity within the organisation.

A cybersecurity policy should detail clear purpose and objectives that use clear and concise language so that it is accessible to all employees. There should also be an annual review of the policy to ensure it is still fit for purpose and regular reminders provided to employees of its location and importance.

Chief Information Security Officer (CISO)

Each entity must designate a qualified CISO responsible for overseeing and implementing the cybersecurity programme, ensuring compliance with relevant regulations and industry standards.

Major cybersecurity frameworks (ISO27001:2022, NIST CSF, PCI DSS, HIPAA etc) require roles and responsibilities to be clearly defined within organisations. The appointment of a CISO, provides the organisation with the resources required to define and implement their cybersecurity programme.

A CISO should be responsible for, but not limited to, identifying security risks, developing security strategies, leading incident response exercises, ensuring compliance and promoting security awareness within the organisation.

Penetration Testing and Vulnerability Assessments

Regular testing and assessments must be conducted to identify cybersecurity vulnerabilities, inform risk management decisions, and ensure the effectiveness of the cybersecurity programme.

Major cybersecurity frameworks (ISO27001:2022, NIST CSF, PCI DSS, HIPAA etc) require organisations to conduct security assessments against their infrastructure and applications.

The NIST CSF provides guidelines on penetration testing as it is crucial part of identifying an organisations security posture. Penetration testing can be achieved by engaging with third-party security assessors and agreeing a clear scope or methodology of what is to be tested. These assessors can then identify vulnerabilities within the organisation and provide detailed remediation reports.

NIST CSF and ISO27001:2022 Annex A controls can be implemented to meet the requirements of vulnerability assessments. Organisations are required to employ vulnerability scanning tools and appropriate patch management solutions to remediate vulnerabilities effectively.

Access Privileges

User access to systems containing non-public information must be limited, periodic reviews of access privileges must be conducted, and all unnecessary accesses must be revoked.

ISO27001:2022 Annex A.9 can be implemented to meet the requirements of secure access privileges within organisations. An organisation should implement an access control policy that defines access control rules, rights, and restrictions. The policy should also define the depth of the controls used which should reflect the information security risks around the information and the organisation’s appetite for managing them.

The principle of least access is the general approach favoured for protection, rather than unlimited access and superuser rights without careful consideration. As such users should only get access to the network and network services they need to use or know about for their job.

Application Security

Procedures for secure development practices for in-house developed applications and security testing for externally developed applications must be in place to ensure the integrity and confidentiality of data processed or stored by these applications.

Major cybersecurity frameworks (ISO27001:2022, NIST CSF, PCI DSS, HIPAA etc) require secure development practices and secure coding testing for applications that have been developed by organisations.

This can be achieved by implementing a secure development lifecycle (SDLC). The SDLC is a framework the organisation will follow that integrates security practices into each phase of the development process. This approach helps an organisation identify and mitigate vulnerabilities and risks earlier in the process, reducing the risk of breaches and data loss.

Developers within the organisation should also be trained annually on secure coding techniques. Secure coding training equips developers with the skills and knowledge to write code that is clear of security vulnerabilities. The OWASP Top 10 developer guide provides a resource that help facilitate security training and certifications within an organisation.

Risk Assessment

Periodic risk assessments must be conducted to inform the design of the cybersecurity programme, identify areas for improvement, and ensure that the programme remains effective in addressing emerging threats.

As part of implementing a cybersecurity programme, ISO27001:2022 also provides guidance on the implementation of effective risk management. One of the mandatory clauses for ISO27001:2022 certification is Clause 6: Planning. Clause 6 defines how an organisation manages risks through their chosen risk methodology and, when implemented, allows an organisation to conduct:

• Risk assessments - Conduct systematic evaluations of information security risks to identify threats, vulnerabilities, and potential impacts (Clause 6)
• Risk treatment - Develop and implement measures to address the identified risks such as avoiding, reducing, transferring, or accepting them. (Clause 6).

Multi-Factor Authentication (MFA)

This must be used for any individual accessing the entity’s internal networks from an external network to prevent unauthorised access to sensitive information.

The NIST CSF provides a guidance framework for the implementation of MFA within organisations. Implementation of the NIST SP-800-63B framework will allow an organisation to implement the below controls:

• Definition of minimum requirements for MFA, including the use of at least two of the three authentication factors required knowledge, (passwords) possession (security token or authentication device) and inherent controls (such as biometrics).
• Assessing the organisations risk levels and determining the appropriate levels of MFA.
• Providing guidance on the implementation of MFA solutions within the organisation
• Ensuring users understand the importance of MFA and how to use the solutions provided.

Data Retention and Disposal

Policies for the secure disposal of non-public information, including data retention and destruction procedures, must be implemented to ensure compliance with regulatory requirements and minimise the risk of data breaches.

ISO27001:2022 Annex A controls can be implemented for the management of data retention periods and data disposal. This control requires a formal retention policy document to be implemented that defines:

• Purpose – Organisations must retain data for a period that meets their legal, regulatory, contractual or business requirements.
• Retention period policies – Organisations should establish a clear retention policy that includes the types of data that is retained, the period it is retained for and the responsible party for that data.
• Review – Organisations should review these policies and retention periods on annual basis.

This control requires a formal disposal policy document to be implemented that defines:

• Secure methods – Organisations must use secure methods of data disposal.
• Destruction – Organisations must destroy physical data (e.g. shredding, pulping, incinerating) and electronic data (e.g. overwriting, degaussing) in line with their policy.
• Certification – If organisations outsource destruction to third-parties, certification of the destruction is required.

Incident Response Plan

A written plan to respond to and recover from cybersecurity events, including incident response procedures and communication protocols, must be in place to ensure timely and effective resolution of incidents.

Major cybersecurity frameworks (ISO27001:2022, NIST CSF, PCI DSS, HIPAA etc) all require that an organisation to implement an incident response plan.

The NIST incident response lifecycle breaks incident response down into four main phases: Preparation; Detection and Analysis; Containment, Eradication, and Recovery; and Post-Event Activity.

Phase 1: Preparation

The preparation phase covers the work an organisation does to get ready for incident response, including establishing the right tools and resources, establishing key roles and responsibilities, and training the team.

Phase 2: Detection and Analysis

According to NIST, completing accurate identification of incidents is often the most difficult part of incident response for many organisations.

Identification is the detection of malicious activity. This can be based on security and monitoring tools, publicly available threat information, or insider information. An important part of identification is to collect and analyse as much data as possible about malicious activity.

Incident response teams must also be able to distinguish between false positives and true malicious behaviour.

Phase 3: Containment, Eradication, and Recovery

This phase focuses on keeping the incident impact as small as possible and mitigating service disruptions.

Containment: Containment is an attempt to stop the threat from spreading in the environment and doing more damage.

Eradication: This process includes identifying the point of intrusion, assessing the attack surface, before removing any residual access. At this stage, the incident response team neutralises any remaining or future attack vectors.

Recovery: At this stage, the incident response team returns systems to normal operation after the remediation of identified vulnerabilities.

Phase 4: Post-Event Activity

This phase is often called the ‘lessons learned’ phase after the eradication and return to normal operation. Learning and improving after an incident is one of the most important parts of incident response.

In this phase, the incident and incident response efforts are analysed. The goals here are to establish the root cause to limit the chances of the incident happening again and to identify ways of improving the future incident response activity of the organisation.

Reporting Requirements

Covered Entities must notify the superintendent within 72 hours of determining that a cybersecurity event has occurred. Additionally, an annual certification of compliance must be submitted by April 15th each year.

Exemptions

The regulations provide some exemptions for smaller entities or those with limited operations. However, these entities must still file a Notice of Exemption.

Implications for Financial Services Companies

These regulations represent a significant shift in how financial services companies approach cybersecurity. They require a more structured, comprehensive, and proactive approach to protecting sensitive information and systems.

For many companies, complying with these regulations will require:

1. Significant investment in cybersecurity infrastructure and personnel
2. Regular review and updating of cybersecurity policies and procedures
3. Increased board-level involvement in cybersecurity matters
4. More rigorous third-party vendor management