Data Classification and 23 NYCRR 500

Employee round-table discussion
Reading Time: 2 minutes

As one of the largest financial hubs in the world the New York Department of Financial Services (DFS) is responsible for governing and regulating those institutions providing financial service products within their jurisdiction. It is for this reason major financial firms operating in New York will face stiff cybersecurity obligations under the revised New York Department of Financial Services Cybersecurity Regulations (23 NYCRR 500).

A key area the new regulation prescribes is the implementation of cybersecurity leadership through organizations by designating a qualified individual to serve as the CISO. This elected individual will be tasked with overseeing and enforcing the firm’s cybersecurity program and policy. Each organization will also need to implement regular staff training to cover specific cybersecurity risk areas.

The stipulations of the new regulation make sure organizations have detection, defense and response capabilities, including regulatory reporting, as well as penetration testing. Just like other new regulations, such as the European General Data Protection Regulation (GDPR), organizations must report any cybersecurity incidents to the DFS as promptly as possible (no later than 72 hours post incident).

So how do organizations ensure they are compliant with the various regulations within 23 NYCRR 500? While a broad review and evaluation of an organization’s existing cybersecurity program, policy and technology with senior leadership is critical, there are some specific areas of opportunity where data classification can assist in achieving certification of compliance.

Identification of NPI

The identification of NPI is critical in NYDFS compliancy as it allows an organization the ability to:

  • Identify and asses internal and external risk to NPI facilitating the development of controls and practices for its protection
  • Develop and document cybersecurity policy and procedures that govern NPI throughout its lifecycle
  • Allows for notification precision and timing compliance should a cyber-event occur
  • Identification and management of 3rd party access to NPI ensuring that adequate cybersecurity practices are in place
  • Determine scope for encryption or compensating controls for NPI in transit or at rest
  • Ability to report on and support the submission of a certification of compliance with 23 NYCRR 500.07, 500.13 & 500.15
  • Inclusion in the Cybersecurity Program and policy regulations as stipulated in 23 NYCRR 500.02 and 500.03

Retention and Audit

Data classification allows organizations the ability to satisfy § 500.06 requiring Covered Entities to maintain sufficiently detailed records. Those records must be identified and retained to:

  • Completely reconstruct all financial transactions and accounting necessary to enable the Covered Entity to detect and respond to attempted, and actual, attacks
    • Retain these records for a minimum of 5 years
  • Track and maintain data logging of all authorized user access to critical systems allowing for event reconstruction
    • Retain these records for a minimum of 3 years
  • Ability to report on, and submit certification of, compliance with 23 NYCRR 500.06
  • Inclusion in the Cybersecurity Program and policy regulations as stipulated in 23 NYCRR 500.02 and 500.03

Depending on the industry that you are in, your organization may be required to demonstrate compliance with a litany of IT governance capabilities, policy, procedures and underlying technical controls that collectively safeguard the data that your organization is accountable for. While many of these requirements are intended, and ultimately designed, to achieve the same result – effective security throughout the data life cycle – how compliance is achieved and demonstrated varies wildly and care must be taken to understand the regulations thoroughly.

Download your copy of the NYDFS Cybersecurity Regulations fact sheet now.