NYS DFS Cybersecurity Regulation 2nd Amendment Summary
23 NYCRR 500, 2nd Amendment (“Reg 500”)
On November 1, 2023, the New York State Department of Financial Services (DFS) released the second amendment to their cybersecurity regulations. This amendment not only codifies long-standing requests made by DFS auditors but also introduces several changes that will necessitate careful planning for implementation. Notably, DFS has provided generous timelines for compliance in many cases.
At Cyber Defense Institute, we are fully prepared to assist you in the implementation of these new requirements. We will be conducting individual consultations with all of our DFS-regulated clients to ensure a seamless transition to these updated regulations. As new information becomes available, we will promptly update this page to reflect the evolving landscape.
It's essential to emphasize that this page serves as a summary of the changes applicable to non-exempt organizations and is not exhaustive. Additionally, detailed implementation guidelines are not provided within the regulation or on this page.
We highly recommend that you reach out to us with any questions or inquiries through our Contact page.
Changes to DFS Regulation 500 Requiring Additional Implementation
(For Covered Entities with No Exemptions)
Effective Date: November 1, 2023
500.3 Cybersecurity Policies
Policies must undergo annual updates and approval by the Board.
Policies must encompass additional areas, including retention, end-of-life management, remote access, monitoring, security awareness and training, application security, notification, and vulnerability management.
Procedures must be developed, documented, and implemented in accordance with the policies.
500.4 Cybersecurity Governance
Designate a senior staff member responsible for overseeing third-party vendors with access to Nonpublic Personal Information (NPI).
Mandate that third-party vendors maintain a cybersecurity program to safeguard covered entities from cybersecurity events.
CISO Board Reports must now include:
Plans for addressing any cybersecurity inadequacies.
Timely reporting of significant cybersecurity events and significant changes to the cybersecurity program.
The Board must exercise oversight of the covered entity's cybersecurity risk management by:
Gaining sufficient understanding of cybersecurity-related matters to exercise oversight or seeking advice from experts.
Requiring the covered entity's executive management to establish and maintain the cybersecurity program.
Regularly receiving and reviewing management reports about cybersecurity.
Confirming that the covered entity's management has allocated sufficient resources to implement and maintain an effective cybersecurity program.
500.5 Vulnerability Management
Each covered entity must develop and implement written policies and procedures for vulnerability management, ensuring that they:
Conduct penetration testing both inside and outside information system boundaries by a qualified party at least annually.
Conduct scans of information systems, determined by risk assessment and after significant changes, for discovering and reporting vulnerabilities.
Receive timely alerts regarding new vulnerabilities through a monitoring system.
Promptly remediate vulnerabilities, prioritizing those posing the most risk to the covered entity.
500.7 Access Privileges and Management
Each covered entity must, based on its risk assessment, undertake the following as part of its cybersecurity program:
Restrict user access privileges to information systems providing access to nonpublic information to those necessary for job performance.
Limit the number of privileged accounts and restrict access functions to job-specific requirements.
Use privileged accounts only for functions requiring such access.
Periodically, at a minimum annually, review all user access privileges and deactivate or disable unnecessary accounts and access.
Deactivate or securely configure all protocols allowing remote control of devices.
Promptly terminate access following employment termination.
Implement a written password policy meeting industry standards if passwords are employed for authentication.
500.12 Multi-factor Authentication
Utilize multi-factor authentication for any individual accessing a covered entity's information systems.
500.13 Asset Management and Data Retention Requirements
Each covered entity must implement written policies and procedures designed to establish and maintain a comprehensive, accurate, and documented asset inventory of its information systems. This must include tracking key information for each asset, including:
Owner
Location
Classification or sensitivity
Support expiration date
Recovery time objectives
The frequency for updating and validating the covered entity's assets.
500.14 Monitoring and Training
As part of its cybersecurity program, each covered entity must:
Implement risk-based controls for protection against malicious code, including those that monitor and filter web traffic and email to block malicious content.
Provide at least annual cybersecurity awareness training for all personnel, including social engineering awareness, updated to address risks identified in the risk assessment.
500.15 Encryption
Implement a written policy mandating encryption meeting industry standards to protect NPI held or transmitted. The CISO must review the feasibility and effectiveness of encryption and compensating controls at least annually.
500.16 Incident Response and Business Continuity Management
Establish written plans for investigating and mitigating cybersecurity events, including incident response (IR), business continuity (BC, and disaster recovery (DR) plans. Details regarding the contents of these plans are not included in this summary.
All plans must be accessible to parties responsible for their implementation.
Training must be provided to all parties responsible for implementing these plans.
IR, BC, and DR plans must be tested at least annually.
Maintain backups of critical data safeguarded from unauthorized alterations or destruction.
500.17 Notice of Cybersecurity Incident
Notification must be posted on the DFS website within 72 hours.
Notification includes incidents involving covered entities, third-party vendors, or affiliates.
Provide the superintendent with any requested information and continuous updates on material changes or new information.
Submit notice of compliance with regulations by April 15 of the prior year, which includes sufficient data and documentation.
Notice of non-compliance is also required, specifying the nature of non-compliance and a remediation timeline or confirmation of remediation.
Certification must involve the covered entity's highest-ranking officer and CISO.
Maintain documentation related to the annual Reg 500 certification for at least 5 years.
For cybersecurity events involving extortion payments at the covered entity, notify the superintendent within 24 hours, followed by a written description of the reasons for the payment and proper justification within 30 days.
Please note that the information in this document has been summarized for executive use and is presented from an information technology perspective. It should not be construed as legal advice.