Previously, I discussed data privacy laws, specifically involving New York State Department of Financial Services (NYDFS) 23 NYCRR 500. Now, I want to address the reasons for the regulation and the requirements.
This regulation is in place to promote the protection of nonpublic information (NPI) as well as the information technology systems of regulated entities.
Nonpublic information means all electronic information that is not publicly available information and is:
- Business-related information of a covered entity the tampering with which, or unauthorized disclosure, access or use of which, would cause a material adverse impact to the business, operations or security of the covered entity
- Any information concerning an individual which because of name, number, personal mark, or other identifier can be used to identify such individual, in combination with any one or more of the following data elements: (i) social security number, (ii) driver’s license number or non-driver identification card number, (iii) account number, credit or debit card number, (iv) any security code, access code or password that would permit access to an individual’s financial account, or (v) biometric records
- Any information or data, except age or gender, in any form or medium created by or derived from a health care provider or an individual and that relates to (i) the past, present or future physical, mental or behavioral health or condition of any individual or a member of the individual’s family, (ii) the provision of health care to any individual, or (iii) payment for the provision of health care to any individual
Requirements of the NYDFS 500 Regulation
All covered entities must adopt a cybersecurity program that meets the following minimum requirements based on the covered entity’s risk assessment.
Cybersecurity Program: Maintain a cybersecurity program designed to protect the confidentiality, integrity, and availability of the information systems.
Cybersecurity Policy: Implement and maintain a written policy or policies, approved by a senior officer or the board of directors, for the protection of its information systems and nonpublic information stored on those information systems.
Chief Information Security Officer: Designate a qualified individual responsible for overseeing and implementing the cybersecurity program and enforcing the cybersecurity policy.
Penetration Testing and Vulnerability Assessments: The cybersecurity program shall include continuous monitoring or annual penetration testing and bi-annual vulnerability assessments.
Audit Trail: Securely maintain systems that (1) are designed to reconstruct material financial transactions sufficient to support normal operations and obligations of the covered entity; and (2) include audit trails designed to detect and respond to harmful cybersecurity events.
Access Privileges: Limit user access privileges to information systems that provide access to nonpublic information and shall periodically review such access privileges.
Application Security: Include written procedures, guidelines, and standards designed to ensure the use of secure development practices for applications developed in house, and procedures for evaluating, assessing, or testing the security of externally developed applications.
Risk Assessment: Conduct a periodic risk assessment of the information systems and allow for the revision of controls to respond to technological developments and evolving threats.
Cybersecurity Personnel and Intelligence: Utilize qualified cybersecurity personnel to manage the cybersecurity risks and to perform or oversee the performance of the core cybersecurity functions.
Third-party Service Provider Security Policy: Implement written policies and procedures designed to ensure the security of information systems and NPI that are accessible to, or held by, third-party service providers.
Multi-factor Authentication: Based on its risk assessment, use effective controls, which may include multi-factor authentication or risk-based authentication, to protect against unauthorized access to NPI or information systems.
Limitations on Data Retention: Institute policies and procedures for the secure disposal on a periodic basis of any NPI that is no longer necessary for business, except where such information is required to be retained by law or regulation.
Training and Monitoring: (1) Monitor the activity of authorized users and detect unauthorized access or use of, or tampering with, NPI by such authorized users; and (2) provide regular cybersecurity awareness training for all personnel.
Encryption of Nonpublic Information: Implement controls, including encryption, to protect NPI held or transmitted by the covered entity both in transit over external networks and at rest.
Incident Response Plan: Establish a written incident response plan designed to promptly respond to, and recover from, any cybersecurity event materially affecting the confidentiality, integrity or availability of the information systems or the continuing functionality of any aspect of the business or operations.
Notices to Superintendent: (1) Notify the superintendent within 72 hours from a determination that a harmful cybersecurity event has occurred; and (2) annually submit to the superintendent a written statement covering the prior calendar year, certifying that it is in compliance with the requirements set forth in this regulation.
For more information on NYDFS 500 and GDPR laws and regulations on the financial services industry, please download our guide here, or click below.