New York Cybersecurity Requirements for Financial Services Companies (NY-CRFSC)
LAST REVISED: May 2019
The New York Cybersecurity Requirements for Financial Services Companies (NY-CRFSC) is a regulation promulgated by the New York Department of Financial Services (NY-DFS) after monitoring “the ever-growing threat posed to information and financial systems by nation-states, terrorist organizations and independent criminal actors” to establish certain regulatory minimum standards on cybersecurity. It was designed to promote the protection of customer information as well as the information technology systems of regulated entities.
See, 23 CRN-NY 500.0
Effective Day. NY-CRFSC went into force on Marcy 2017. Full compliance is expected for financial institutions covered. Consumer reporting agencies must come into compliance between November 1, 2018 and December 31, 2019 depending on the particular provisions of the regulations. See, 23 CRN-NY 500.21 and 23 CRR-NY 201.7
Who is regulated by NY-CRFSC (Territorial Scope)?
Certain financial institutions operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law is a ‘covered entity’ under NY-CRFSC. See, 23 CRN-NY 500.1(c) (Definitions)
In addition, NY-DSF issued a new regulation in June 2018 requiring consumer credit reporting agencies to comply with most of the provisions of NY-CRFSC. See, 23 CRR-NY 201.7
Limited exemptions. Certain covered entities are exempted from compliance with some requirements. For example, covered entities that meet the thresholds below are exempted from some requirements (e.g. appointment of CISO/specialized employees, penetration testing, maintenance of records, multi-factor authentication, application security):
- fewer than 10 employees located in New York or responsible for business of the covered entity;
- less than $5,000,000 in gross annual revenue in each of the last 3 fiscal years from New York business operations; or
- less than $10,000,000 in year-end total assets.
See, 23 CRR-NY 500.19
What is regulated by NY-CRFSC (Material Scope)?
NY-CRFSC requires covered organizations to protection of ‘information systems’ and ‘non-public information’ from cyber-threats by (1) perform risk assessments; (2) maintaining a cyber-security program; (3) establishing and and maintaining cyber-security policies; (4) appointing a chief information security officer (CISO) and hire competent personnel; (5) ensure vendor compliance.
Information system means a discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of electronic information, as well as any specialized system such as industrial/process controls systems, telephone switching and private branch exchange systems, and environmental control systems. See, 23 CRN-NY 500.1(c) (Definitions)
Non-public information means mean all electronic information that is not publicly available information (i.e. information the entity has a reasonable basis to believe is lawfully made available to the general public from government records; widely distributed media; or disclosures required under applicable law) and is:
- business related information the tampering with which, or unauthorized disclosure, access or use of which, would cause a material adverse impact to the business, operations or security of the covered entity;
- any information concerning an individual which can be used to identify such individual, in combination with any one or more of the following data elements: (i) SSN; (ii) drivers’ license number or non-driver identification card number; (iii) account number, credit or debit card number; (iv) any security code, access code or password that would permit access to an individual’s financial account; or (v) biometric records;
- any information or data, except age or gender, in any form or medium created by or derived from a health care provider or an individual that relates to: (i) the past, present or future physical, mental or behavioral health or condition of any individual or a member of the individual’s family; (ii) the provision of health care to any individual; or (iii) payment for the provision of health care to any individual..
See, 23 CRN-NY 500.1(g)&(j) (Definitions)
NOTE: NY-CRFSC requires organizations to protect certain kinds of information about individuals but also information about organizations and business.
Obligations imposed by NY-CRFSC
(1) Perform risk assessments
Covered entities shall conduct a periodic risk assessment (an update as reasonably necessary) to inform the design of the cybersecurity program. The risk assessment shall be carried out in accordance with written policies and procedures and shall be documented. Such policies and procedures shall include:
- criteria for the evaluation and categorization of identified cybersecurity risks or threats facing the covered entity;
- criteria for the assessment of the confidentiality, integrity, security and availability of the covered entity’s information systems and nonpublic information, including the adequacy of existing controls in the context of identified risks; and
- requirements describing how identified risks will be mitigated or accepted based on the risk assessment and how the cybersecurity program will address the risks.
See, 23 CRR-NY 500.9
(2) Maintaining a cyber-security program
Covered entities are required to maintain a cybersecurity program designed to protect the confidentiality, integrity and availability of the information systems. The program shall be based on the entity’s risk assessment and designed to perform the following core cybersecurity functions:
- identify and assess internal and external cybersecurity risks that may threaten the security or integrity of nonpublic information;
- use defensive infrastructure and the implementation of policies and procedures to protect the covered entity’s information systems, and the nonpublic information stored on those information systems, from unauthorized access, use or other malicious acts;
- detect cybersecurity events;
- respond to identified or detected cybersecurity events to mitigate any negative effects;
- recover from cybersecurity events and restore normal operations and services; and
- fulfill applicable regulatory reporting obligations.
All documentation and information relevant to the covered entity’s cybersecurity program shall be made available to the relevant regulatory agency upon request.
See, 23 CRN-NY 500.2
Pen testing and vulnerability assessments. As part of the program, covered entities must monitor and test to assess the effectiveness of the program including continuous monitoring or periodic penetration testing and vulnerability assessments. At the minimum, covered entities shall conduct:
- annual penetration testing of information systems; and
- bi-annual vulnerability assessments.
See, 23 CRR-NY 500.5
Audit trail. Covered entities shall securely maintain records in their systems that:
- are designed to reconstruct material financial transactions sufficient to support normal operations for no fewer five years; and
- include audit trails designed to detect and respond to cybersecurity events for no fewer than three years.
See, 23 CRR-NY 500.6
Access privileges: As part of the program, covered entities shall limit user access privileges to information systems that provide access to nonpublic information and shall periodically review such access privileges. See, 23 CRR-NY 500.7
Application security. The program shall include written procedures, guidelines and standards to ensure the use of secure development practices for in-house developed applications utilized by the covered entity, and procedures for evaluating, assessing or testing the security of externally developed applications utilized by the covered entity. All such procedures, guidelines and standards shall be periodically reviewed, assessed and updated as necessary by the CISO (or a qualified designee) of the covered entity. See, 23 CRR-NY 500.8
Multi-factor authentication. Based on its risk assessment, each covered entity shall use effective controls, which may include multi-factor authentication or risk-based authentication, to protect against unauthorized access to nonpublic information or information systems. Multi-factor authentication shall be utilized for any individual accessing the covered entity’s internal networks from an external network, unless the CISO has approved in writing the use of an equivalent or more secure access controls. See, 23 CRR-NY 500.12
Data retention. As part of the program, each covered entity shall include policies and procedures for the secure disposal on a periodic basis of nonpublic information that is no longer necessary for business operations or for other legitimate business purposes, except where such information is otherwise required to be retained by law, or where disposal is not reasonably feasible. See, 23 CRR-NY 500.13
Training and monitoring. As part of the program covered entities shall:
- implement risk-based policies, procedures and controls designed to monitor the activity of authorized users and detect unauthorized access or use of, or tampering with, nonpublic information by such authorized users; and
- provide regular cybersecurity awareness training for all personnel that is updated to reflect risks identified by the covered entity in its risk assessment.
See, 23 CRR-NY 500.14
Encryption. As part of the program, controls, including encryption, must be implemented to protect nonpublic information held or transmitted both in transit and at rest. If encryption is infeasible, nonpublic information must be secured using effective alternative controls reviewed and approved by CISO. See, 23 CRR-NY 500.15
Incident response plan. As part the program, a written incident response plan must be in place designed to promptly respond to, and recover from, any cybersecurity event materially affecting the confidentiality, integrity or availability of the information systems or the continuing functionality of any aspect of the covered entity’s business or operations. The plan shall address:
- the internal processes for responding to a cybersecurity event;
- the goals of the incident response plan;
- the definition of clear roles, responsibilities and levels of decision-making authority;
- external and internal communications and information sharing;
- identification of requirements for the remediation of any identified weaknesses in information systems and associated controls;
- documentation and reporting regarding cybersecurity events and related incident response activities; and
- the evaluation and revision as necessary of the incident response plan following a cybersecurity event.
See, 23 CRR-NY 500.16
Notice of cybersecurity events. Each covered entity shall notify the superintendent as promptly as possible but in no event later than 72 hours from a determination that a cybersecurity event has occurred that is either of the following:
- cybersecurity events impacting the covered entity of which notice is required to be provided to any government body, self-regulatory agency or any other supervisory body; or
- cybersecurity events that have a reasonable likelihood of materially harming any material part of the normal operation(s) of the covered entity.
An annual written statement must be submitted to the superintendent covering the prior calendar year certifying compliance. Records, schedules and supporting data for examination must be maintained for five years.
See, 23 CRR-NY 500.17
Confidentiality. Information provided by a covered entity under NYCRFSC is subject to exemptions from disclosure under the Banking Law, Insurance Law, Financial Services Law, Public Officers Law or any other applicable State or Federal law. See, 23 CRR-NY 500.18
(3) Implement and maintaining a cyber-security policies
Covered entities shall implement and maintain a written policy or policies, approved by a senior officer or the board or equivalent governing body, establishing the policies and procedures for the protection of information systems and nonpublic information. The policy shall be based on the entity’s risk assessment and address:
- information security;
- data governance and classification;
- asset inventory and device management;
- access controls and identity management;
- business continuity and disaster recovery planning and resources;
- systems operations and availability concerns;
- systems and network security;
- systems and network monitoring;
- systems and application development and quality assurance;
- physical security and environmental controls;
- customer data privacy;
- vendor and third party service provider management;
- risk assessment; and
- incident response.
(4) Appointing a Chief Information Security Officer (CISO) and hire competent personnel
CISO. Covered entity shall designate a qualified individual responsible for overseeing and implementing the covered entity’s cybersecurity program and enforcing its cybersecurity policy. The CISO shall report in writing at least annually to the board or equivalent governing body on the covered entity’s cybersecurity program and material cybersecurity risks considering:
- the confidentiality of nonpublic information and the integrity and security of the covered entity’s information systems;
- the covered entity’s cybersecurity policies and procedures;
- material cybersecurity risks to the covered entity;
- overall effectiveness of the covered entity’s cybersecurity program; and
- material cybersecurity events involving the covered entity during the time period addressed by the report.
See, 23 CRR-NY 500.4
Cybersecurity personnel and intelligence. In addition to appointing a CISO, each covered entity shall:
- utilize qualified cybersecurity personnel sufficient to manage the risks and to perform or oversee the performance of the core cybersecurity functions;
- provide cybersecurity personnel with cybersecurity updates and training sufficient to address relevant cybersecurity risks; and
- verify that key cybersecurity personnel take steps to maintain current knowledge of changing cybersecurity threats and countermeasures.
See, 23 CRR-NY 500.10
(5) Ensure vendor compliance
Each covered entity shall implement written policies and procedures to ensure security of information accessible to, or held by, third party service providers. Such policies and procedures shall address:
- the identification and risk assessment of third party service providers;
- minimum cybersecurity practices required to be met by such third party service providers in order for them to do business with the covered entity;
- due diligence processes used to evaluate the adequacy of cybersecurity practices of such third party service providers; and
- periodic assessment of such third party service providers based on the risk they present and the continued adequacy of their cybersecurity practices.
The policies and procedures shall include guidelines for due diligence and/or contractual protections relating to third party service providers including:
- the third party service provider’s policies and procedures for access controls, including its use of multi-factor authentication;
- the third party service provider’s policies and procedures for use of encryption in transit and at rest;
- notification in the event of a cybersecurity impacting the covered entity’s information systems/nonpublic information; and
- representations and warranties addressing the third party service provider’s cybersecurity policies and procedures.
Limited exception. An agent, employee, representative or designee of a covered entity who is itself a covered entity need not develop its own third party information security policy if follows the policy of the covered entity that is compliant with NYCRFSC.
See, 23 CRR-NY 500.11
NY-CRFSC is enforced by the superintendent pursuant to its authority under any applicable laws. See, 23 CRR-NY 500.20
N.Y. COMP. Codes R. & Regs. it. 23 Sec. 500 et seq. New York Cybersecurity Requirements for Financial Services Companies (NYCRFSC)