23 NYCRR PART 500 Toolkit, Compliance, and Consulting Services

Financial services business in New York can now instantly download the NYCRR PART 500 Cybersecurity Requirements Toolkit today containing InfoSec policies, procedures, forms, templates, risk assessment documents, and more.

Introduction to 23 NYCRR PART 500 Cybersecurity Requirements

The New York State Department of Financial Services (“DFS”) has been monitoring the continued threats facing information and financial systems by various nation-states, terrorist organizations and other related parties. These criminals are actively seeking to exploit technological vulnerabilities in hopes of gaining access to sensitive electronic data. It’s no secret that these criminals can cause huge financial losses for DFS regulated organizations, along with the state of New York consumers whose private information may be compromised by a cyber-attack. Therefore, because of the seriousness of the issue and the risk to all regulated entities, DHS has implemented a robust set of cybersecurity controls designed to help promote the protection of customer information as well as the information technology systems of regulated organizations.

As such, 23 NYCRR PART 500 Cybersecurity Requirements for Financial Services Companies (the “regulation”) requires businesses to comprehensively assess its specific risk profile and design a program that addresses its risks in complete fashion. The actual New York State Department of Financial Services Ruling (http://www.dfs.ny.gov/legal/regulations/proposed/rp500t.pdf) states that “Senior management must take this issue seriously and be responsible for the organization’s cybersecurity program and file an annual certification confirming compliance with these regulations.” This is a game-changer indeed, one that will require organizations to spend considerable time and money in becoming compliant with the regulation.

Download the 23 NYCRR PART 500 Cybersecurity Requirements Toolkit

Banking and financial services in the state of New York – and other related entities impacted by the NYCRR PART 500 Cybersecurity Requirements – can now immediately download the first and only toolkit for helping enable full compliance. FLANK’s 23 NYCRR PART 500 Cybersecurity Requirements Toolkit includes the following 9 sections:

  • Information Security & Cybersecurity Policy and Procedures Manual
  • Business Continuity and Disaster Recovery/Contingency Planning (BCDRP/CP) Manual
  • Risk Management & Risk Assessment Program
  • Third-Party Vendor Due-Diligence and Monitoring Program
  • Data Retention and Disposal Program
  • Security Awareness Training Manual
  • Cyber Incident Response and Reporting Program (CIRRP)
  • Compliance Checklists for each 23 NYCRR 500 Section
  • Continuous Monitoring Checklist

Overview of 23 NYCRR PART 500 Cybersecurity Requirements

Becoming compliant with 23NYCRR PART 500 requires a healthy dose of documentation – essential policies, procedures, forms, checklists, templates, and more – for ensuring your organization has full and complete coverage of all necessary mandates. Listed below are the actual prescriptive requirements set forth in 23 NYCRR PART 500, what they required, but also, what they really mean in terms of regulatory compliance. Understanding the true elements of each of the sections, thus, “reading between the lines” is essential for compliance.

Section 500.02 Cybersecurity Program

Requirement: Each Covered Entity shall maintain a cybersecurity program (the "program") designed to protect the confidentiality, integrity and availability of the Covered Entity’s Information Systems. Additionally, program shall be based on the Covered Entity’s Risk Assessment and designed to perform the following functions:

  • Identify and assess internal and external cybersecurity risks.
  • Use defensive infrastructure and the implementation of policies and procedures to protect the Covered
  • Detect Cybersecurity Events;
  • Respond to identified or detected Cybersecurity Events
  • Recover from Cybersecurity Events
  • fulfill applicable regulatory reporting obligations.

Additionally, a Covered Entity may meet these requirements by adopting a cybersecurity program maintained by an Affiliate, provided that the Affiliate’s cybersecurity program covers the Covered Entity’s information systems. Lastly, all documentation and information relevant to the Covered Entity’s cybersecurity program shall be made available to the superintendent upon request.

What it Really Means: It means information security best practices need to be taken seriously – once and for all – which begins by understanding, assessing, and implementing a wide-range of InfoSec and cybersecurity policies, procedures and processes within your organization. Gone are the days of weak security initiatives – you’ll become a victim of a data breach if that’s your philosophy – now replaced with demanding compliance mandates for ensuring the safety and security of sensitive consumer data and information. The 23 NYCRR PART 500 Cybersecurity Requirements is essentially a natural extension and evolution of numerous other compliance mandates that are currently in place in various industries.

Section 500.03 Cybersecurity Policy

Requirement: Each Covered Entity will need to develop, maintain, update a comprehensive set of information security policies and procedures - based on one's risk assessment - and for the protection of its Information Systems and Nonpublic Information stored on those Information System, that consist of the following:

  • Information security
  • Data governance and classification
  • Asset inventory and device management
  • Access controls and identity management
  • Business continuity and disaster recovery planning and resources
  • Systems operations and availability concerns
  • Systems and network security
  • Systems and network monitoring
  • Systems and application development and quality assurance
  • Physical security and environmental controls
  • Customer data privacy
  • Vendor and Third-Party Service Provider management
  • Risk assessment
  • Incident response

Authoring cybersecurity policies and procedures is often an incredibly demanding and time-consuming endeavor, and it’s why FLANK developed the 23 NYCRR PART 500 Cybersecurity Requirements Toolkit. Available for immediate download, the toolkit contains all essential documentation, and other necessary supporting forms and templates, for ensuring full compliance with 23 NYCRR PART 500.

What it Really Means: It means that regulators are getting serious – once and for all – about information security, cybersecurity and the need for protecting confidential and highly sensitive consumer/customer, and internal data/information. Data breaches are at an all-time high in terms of companies being impacted, and with no end in sight, regulators in the state of New York had no choice but to start enforcing strict security rules. The above reference bullet point in regards to a cybersecurity policy essentially means hawing documented, well-written InfoSec policies, procedures, and processes.

After all, how can you protect one’s assets if little or no information security policies exist for helping employees understand critical security issues, threats, and best practices to strive for? While documentation in the form of InfoSec polices can take dozens of hours to author and implement, we have a much easier solution, and that’s downloading the 23 NYCRR PART 500 Cybersecurity Requirements Toolkit today from the compliance experts at FLANK. Visit flank.org to learn more about our products, services, and solutions.

Section 500.04 Chief Information Security Officer

Requirement: Each Covered Entity is to identify and designate a qualified individual responsible for overseeing and implementing the Covered Entity’s cybersecurity program and enforcing its cybersecurity policy. The CISO may be employed by the Covered Entity, one of its Affiliates or a Third-Party Service Provider. Responsibilities are to include the following:

  • Retain responsibility for compliance with this law.
  • Designate a senior member of the Covered Entity’s personnel responsible for direction and oversight of the Third-Party Service Provider
  • Require the Third-Party Service Provider to maintain a cybersecurity program that protects the Covered Entity in accordance with the requirements of this law.
    report in writing at least annually to the Covered Entity’s board of directors or equivalent governing body. If no such board of directors or equivalent body exists, then report to a Senior Officer.
  • Cybersecurity program. The CISO shall report on the Covered Entity’s cybersecurity program and to the extent, necessary, provide coverage applicable to risks, the effectiveness of the program, any material cybersecurity events, etc.

What it Really Means: It means not just giving an employee a title and label, rather, it means that such a person is truly responsible for all aspects of an organization’s information security and cybersecurity posture. This individual should have a “say” in organizational issues, especially when it comes to information security, and this individual should also become a vital component of the organization’s senior management team. For years, CIO’s, CTO’, CISO’s were not looked upon as equal regarding C level management, but that has all changed in dramatic fashion, and just recently.

Section 500.05 Penetration Testing and Vulnerability Assessments

Requirement: The cybersecurity program for each Covered Entity shall include monitoring and testing, which is essentially designed to assess the effectiveness of the Covered Entity’s cybersecurity program. In the absence of such monitoring, particularly, “continuous monitoring”, a Covered Entity shall perform an annual penetration test, along with bi-annual vulnerability assessments. It’s important to discuss the concept of “monitoring”, and also that of “continuous monitoring”. Monitoring is essentially all the relevant initiatives undertaken by organizations for ensuring their internal controls are functioning as required.

More specifically, are one’s information security and operational policies, procedures, and processes being implemented and adhered to as necessary? Effective monitoring requires many tasks, such as reviewing policies and procedures on a regular basis, inspecting audit log reports, monitoring information systems for anomalies, along with a wide-range of other activities.

What it Really Means: It means if no credible “continuous monitoring” initiatives are being performed, then penetration testing and vulnerability assessments are to be undertaken. What constitutes “credible” in the eyes of “continuous monitoring” – consider the following: Do you assess, on a regular basis, the relevant controls (i.e., policies, procedures, and processes) relating to all of your operational and security controls? Do you make changes and enhancements to such controls when necessary, and are qualified personnel responsible for maintaining an environment with an adequate system of internal controls?

This, and much more, is what’s known as “continuous monitoring”. FLANK’s 23 NYCRR PART 500 Cybersecurity Requirements Toolkit includes a “continuous monitoring” program that’s easy-to-use and implement, and available for instant download today at flank.org.

Section 500.06 Audit Trails

Requirement: Each Covered Entity shall securely maintain systems that are designed to reconstruct material financial transactions sufficient to support normal operations, along with including audit trails designed to detect and respond to Cybersecurity Events that could harm operations. Lastly, such records are to be maintained for at least five years.

What it Really Means: The concept of “audit trails” essentially requires organizations to establish baseline events that are to be captured within information systems, and then to log, record, and archive these events.

Furthermore, from a scope perspective, audit trails need to be implemented for three core areas: (1). Network devices, such as firewalls, routers, switches, load balancers, and any other network related information systems. (2). Servers, which includes the actual operating systems (o/s) and the underlying applications residing on the servers (both physical and/or virtual servers). (3). End-user systems, workstations. From a baseline audit trails perspective and what events need to be captured, and for what environments, consider the following as a best practice:

Event to capture for servers and to therefore include in server audit logs:

  • Server startup and shutdown
  • Loading and unloading of services
  • Installation and removal of software
  • System alerts and error messages
  • User logon and logoff
  • System administration activities
  • Accesses to sensitive information, files, and systems
  • Account creation, modification, or deletion
  • Modifications of privileges and access controls
  • Any other additional security-related events

Events to capture within applications and databases therefore include in application audit logs:

  • Modifications to the application
  • Application alerts and error messages
  • User logon and logoff
  • System administration activities
  • Accesses to information and files
  • Account creation, modification, or deletion
  • Modifications of privileges and access controls
  • Any other additional security-related events

Events to capture within network devices and to therefore include in network devices audit logs:

  • Device startup and shutdown
  • Administrator logon and logoff
  • Configuration changes
  • Account creation, modification, or deletion
  • Modifications of privileges and access controls
  • System alerts and error messages
  • Any other additional security-related events

Events to capture within end-user workstations

  • User logon/logoff events
  • User account changes
  • Password changes
  • Service started or stopped
  • Object access denied (if auditing enabled)

Much has been written in the world of compliance when it comes to the broader topic of “Audit Trails”. With that said, it’s important to remember a few notable points. First and foremost, to have adequate audit trails in place, you first need to determine what are the baseline “events” for which you’ll be capturing from your information systems. The above-referenced baseline “events” are an excellent example of what to capture for four main areas: (1). Network devices. (2). Servers. (3). Applications on the servers. (4). End-user workstations. This solves the “scoping” issue. You’ll then have to ensure that such events are captured and sent to a stand-alone log server that can analyze and store such logs for a reasonable amount of time.

Section 500.07 Access Privileges

Requirement: Limit user access privileges to information systems that provide access to Nonpublic Information and shall periodically review such access privileges.

What it Really Means: Limiting access privileges essentially means assigning roles and responsibilities to users for which they have the minimum access necessary for performing their duties. This is a common concept known universally as Role Based Access Control (RBAC). Many directory services – especially Microsoft Active Directory – allow for policies to be established via Group Policy (GPO) that limit user access privileges. Additionally, for any other systems that do not authenticate against Microsoft Active Directory, then steps will need to be taken for ensuring limiting of access privileges are in place.

As to the term of “nonpublic information”, the actual regulations gives us a rather long, technical definition, complete with examples – so for an ounce of clarity and simplicity, just remember that “nonpublic” information is essentially any type of information that falls under one of the three main information categories:

  • Personally Identifiable Information (PII)
  • Personally Identifiable Financial Information (PIFI)
  • Protected Health Information

And to be more direct, “nonpublic” information is essentially ant type of consumer, client, patient, and internal company data that should never be exposed to the public. Not entirely clear if some elements of data you’re holding is “nonpublic” or not, then take the conservative approach and protect it by limiting access privileges to such data.

Section 500.08 Application Security.

Requirement: The cybersecurity program is to include written procedures, guidelines and standards designed to ensure the use of secure development practices for in-house developed applications, and procedures for evaluating, assessing or testing the security of externally developed applications utilize. Additionally, all such documentation shall be periodically reviewed, assessed and updated as necessary by the CISO (or a qualified person).

What it Really Means: Many businesses currently develop internally – or outsource to other organizations – custom applications that are needed for business operations. Perhaps it’s an internal valuation modeling software, or a risk tool for assessing client asset allocation, or any number of other programs. The point to make is that a documented, and formalized Systems/Software Development Life Cycle (SDLC) process needs to be in place. This means having SDLC policies and procedures, the use of change management/change control processes, using source code tools, performing code reviews, and other related items.

If you’re currently outsourcing such SDLC activities, then the in-scope third-party will need to provide evidence of their documentation and related processes. They can provide this in a number of ways; (1). By giving you the actual documentation, or (2). Providing a regulatory compliance report that validates their SDLC activities, such as a SOC 1, SOC 2, PCI DSS, or ISO 27001 report.

Section 500.09 Risk Assessment

Requirement: Each Covered Entity shall conduct a periodic Risk Assessment of the Covered Entity’s information system’s sufficient to inform the design of the cybersecurity program. Furthermore, the risk assessment shall be updated as reasonably necessary to address changes to the Covered Entity’s information systems, and/or business operations.

What it Really Means: It means actually performing – at a minimum – an annual information security risk assessment, one that documents an organization’s strengths, weaknesses, risks, threats, and overall concerns for their core environment. It’s not enough to have “just” a risk assessment policy in place, organizations need to actually perform the risk assessment. What’s interesting about risk assessments is that you don’t need to use a costly software or high a cadre of consultants, not at all. FLANK’s 23 NYCRR PART 500 Cybersecurity Requirements Toolkit comes complete with a comprehensive, easy-to-use and document risk assessment program.

Section 500.10 Cybersecurity Personnel and Intelligence

Requirement: Each Covered Entity is to use qualified cybersecurity to manage the Covered Entity’s cybersecurity risks and to perform or oversee the performance of the core cybersecurity functions, provide cybersecurity personnel with cybersecurity updates and training, and verify that key cybersecurity personnel take steps to maintain current knowledge of changing cybersecurity threats and countermeasures.

What it Really Means: It means having competent, capable and well-trained cybersecurity personnel on board, that’s relatively straightforward. However, it also requires “training”, which essentially means that such personnel should undergo annual security awareness training, along with role-based training applicable to their expertise. For example, network administrators, software developers, I.T. engineers, and others, should also undergo basic cybersecurity awareness training each year – at a minimum – but then also training specific to their job function.

By doing this, you are meeting the requirements put forth in Section 500.10 for "training sufficient to address relevant cybersecurity risks" and "that key cybersecurity personnel take steps to maintain current knowledge of changing cybersecurity threats and countermeasures"

Section 500.11 Third-Party Service Provider Security Policy

Requirement: Each Covered Entity is to implement written policies and procedures designed to ensure the security of information systems and Nonpublic Information that are accessible to, or held by, Third Party Service Providers. Such policies and procedures are to be based on the Risk Assessment of the Covered Entity and shall address to the extent applicable, the following measures for third-parties:

  • The identification and risk assessment.
  • Minimum cybersecurity practices required to be met.
  • Due diligence processes used to evaluate the adequacy of cybersecurity practices.
  • Periodic assessments based on the risk they present and the continued adequacy of their cybersecurity practices.

Furthermore, the policies and procedures shall include relevant guidelines for due diligence and/or contractual protections addressing the following for third-parties:

  • Their policies and procedures for access controls including its use of Multi-Factor, etc.
  • Their policies and procedures for use of encryption.
  • Notice in the event of a Cybersecurity Event directly impacting the Covered Entity’s Information Systems.
  • Representations and warranties addressing the Third-Party Service Provider’s cybersecurity policies.

What it Really Means: It means having in place comprehensive due-diligence and vendor management policies, procedures, and practices for all relevant third-parties being used by your organization. With outsourcing continuing to grow in today’s business world, the 23 NYCRR PART 500 Cybersecurity Requirements have a place heavy emphasis – and rightfully so – on performing necessary initial, and on-going, due-diligence measures on third-parties. FLANK’s 23 NYCRR PART 500 Cybersecurity Requirements Toolkit comes complete with a comprehensive, easy-to-use and implement Third-Party Due-Diligence and Vendor Management Program that’s available for instant download today at flank.org.

Section 500.12 Multi-Factor Authentication

Requirement: Multi-Factor Authentication or Risk-Based Authentication, to protect against unauthorized access to Nonpublic Information or Information Systems.

What it Really Means: It means just that, implementing two-factor authentication/multi-factor authentication (2FA) when accessing information systems. There are a multitude of tools available for 2FA, all comparable in fees, but the bigger question is scope. Specifically, what users are required to use 2FA, why, and for what reason. Take note of these industry best practices, which should be applied to your environment:

Section 500.13 Limitations on Data Retention

Requirement: Each Covered Entity shall include policies and procedures regarding the secure disposal (on a periodic basis) of any Nonpublic Information that is no longer necessary for business operations or for other legitimate business purposes.

What it Really Means: It means having documented policies, procedures, and processes in place regarding data retention and disposal. Specifically, you’ll need to document they types of data you store, how it’s stored, for how long, and what data removal and destruction procedures do you have in place for purging data from information systems, and for destroying information systems that are retired and no longer in use. FLANK’s 23 NYCRR PART 500 Cybersecurity Requirements Toolkit comes complete with a detailed, well-written data retention and disposal policy template that’s available for instant download today at flank.org.

Section 500.14 Training and Monitoring

Requirement: Implement risk-based policies, procedures and controls designed to monitor the activity of Authorized Users and detect unauthorized access or use of, or tampering with, Nonpublic Information by such Authorized Users. Also, provide for regular cybersecurity awareness training for all personnel that reflects risks identified.

What it Really Means: This requirement is a two-fold process which calls for two completely different requirements to be in place. First, similar to many of the audit logging events required previously, organizations should ensure such logging is in place, but also the “monitor the activity of Authorized Users” can best be achieved by a number of initiatives, such as the following:

  • Implement required logging, per Section 500.06 Audit Trails.
  • Use of File Integrity Monitoring (FIM), a highly effective tool that detects – and alerts – access and changes to any files on a system.
  • Conduct documented regular review processes of user activity, and the appropriateness of such users having access.
Section 500.15 Encryption of Nonpublic Information

Requirement: Each Covered Entity is to implement controls, including encryption, to protect Nonpublic Information held or transmitted by the Covered Entity both in transit over external networks and at rest.

What it Really Means: It means using approved encryption protocols for data in transit, which means utilizing port 443/HTTPS protocol for any websites that transmit data. Additionally, it also means using full-disk, file and/or column level encryption for any nonpublic data at rest. Furthermore, when accessing systems, authorized I.T. personnel should use secure protocols also, such as Secure Shell when making a connection into an I.T. computing environment.

Section 500.16 Incident Response Plan

Requirement: Each Covered Entity is to establish a written incident response plan designed to promptly respond to, and recover from, any Cybersecurity Event materially affecting the confidentiality, integrity or availability of the Covered Entity’s Information Systems or the continuing functionality of any aspect of the Covered Entity’s business or operations.

What it Really Means: It means putting in place a well-documented and thoughtful incident response and reporting plan according to the mandated requirements set forth above. FLANK’s 23 NYCRR PART 500 Cybersecurity Requirements Toolkit comes complete with a detailed, well-written Cyber Incident Response and Reporting Program (CIRRP) template that’s available for instant download today at flank.org.

Other Relevant Sections
  • Section 500.17 Notices to Superintendent
  • Section 500.18 Confidentiality
  • Section 500.19 Exemptions
  • Section 500.20 Enforcement
  • Section 500.21 Effective Date
  • Section 500.22 Transitional Periods
  • Section 500.23 Severability