Near the end of last year, Financial Services Superintendent Maria T. Vullo announced that the New York State Department of Financial Services (DFS) had updated its proposed first-in-the-nation cybersecurity regulation to protect New York State from the ever-growing threat of cyber-attacks. The proposed regulation, which will be effective 01 March 2017, will require banks, insurance companies, and other financial services institutions regulated by DFS to establish and maintain a cybersecurity program designed to protect consumers and ensure the safety and soundness of New York State’s financial services industry.

“New Yorkers must be confident that the banks, insurance companies, and the other financial institutions that they rely on are securely handling and establishing necessary protocols that ensure the security and privacy of their sensitive personal information,” said Superintendent Vullo. “This updated proposal allows an appropriate period of time for regulated entities to review the rule before it becomes final and make certain that their systems can effectively and efficiently meet the risks associated with cyber threats.”

Scope of 23 NYCRR 500

The proposal is very broad; it covers any individual/organization that operates under (or that is required to operate under) a license, registration, charter, certificate, permit, accreditation, etc. under New York banking, insurance, or financial services laws.  Smaller entities have some exceptions but must comply with some of the regulation’s requirements. State-chartered and foreign banks licensed to operate in New York are also included (e.g. Goldman Sachs Group, Barclays, and Deutsche Bank).

As I mentioned above, the proposal becomes effective 01 March 2017 with an 180-day grace period for compliance. The final deadline to comply with the guidelines is 30 September 2017.

The key elements of the proposal are as follows, and a summary of these elements can be found here:

  1. Establishment of a Cybersecurity Program
  2. Adoption of a Written Cybersecurity Policy
  3. Mandatory Chief Information Security Officer
  4. Cybersecurity Training for Employees
  5. Third-Party Service Providers Risk
  6. Incident Monitoring and Reporting
  7. Information Security Audits

What you need to know:

Written policies (as defined in section 500.3) are an important first step, but compliance requires the demonstration of consistent policy enforcement. Forensic data and reporting are needed to demonstrate consistent enforcement of these new rules, and there are four sections in particular where Scrutinizer provides many benefits.

Information Security—500.3 (a)(1)

Being able to protect the sensitive and confidential information hosted on systems is critical in the financial industry. You must have a policy in place that allows you to identify who should have access to sensitive information. When a security breach takes place, you need to see what the bad actors have gained access to and what saw. Finally, you need to be able to prove if somebody outside of your authorized list accessed the sensitive information.

Systems and Network Security—500.3 (a)(7)

When it comes to systems and network security, there should be a policy that defines what security tools are in place and the protections that they offer. What tools do you have in place, and how do you know what security functions they provide? Regardless of the tools, you need to define a policy outlining how the tools protect your sensitive information.

Systems and Network Monitoring—500.3 (a)(8)

To enforce the policies of Systems and Network Security, active surveillance and analysis of network systems is required. Without baselining user and traffic behavior, network and security teams are blind to network activity. You need to have an exhaustive record of normal traffic patterns, and you must set up a system that alerts when traffic deviates.

Incident Response—500.3 (a)(14)

The main goal in any incident response and forensic threat investigation solution is to provide teams with the ability to respond quickly to incidents. With that in mind, using such a solution provides organizations with the ability to respond quickly to threats and discover where they’ve gone.

If you’d like to read more about these regulations, check out our document on NYCRR-500-brochure.


Justin Jett is Director of Audit and Compliance at Plixer with roles ranging from system administration of web services to technical product marketing for Plixer’s incident response system, Scrutinizer. Jett, a graduate of the University of Maine at Farmington, is an avid learner of all things security, with a particular interest in TLS and DNS attacks.


Leave a Reply

Your email address will not be published.