Time to comply with NYDFS Phase Three

Reading Time: 2 minutes

Following on from Labor Day in the United States, compliance with the third of four distinct New York Department of Financial Services (NYDFS) Cybersecurity regulation (23 NYCRR 500) phases have come into effect. The regulation is intended to reduce the risk to regulated financial institutions, their client’s information and the severity of any breaches that do occur.

23 NYCRR 500 went into effect on March 1, 2017 and specifically applies to ‘covered entities’, those defined as “any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.”

As of September 4, 2018, the 18-month transitional period came to an end and Covered Entities are required to be in compliance with the requirements of sections 500.06, 500.08, 500.13, 500.14(a) and 500.15 of 23 NYCRR 500.

Phase Three is by far the most prescriptive and clearly defines the outcomes that are expected with each of the individual 23 NYCRR 500 sections applicable here:
• Section 500.06 – Audit Trail
• Section 500.08 – Application Security
• Section 500.13 – Limitations on Data Retention
• Section 500.14(a) – Training and Monitoring
• Section 500.15 – Encryption of Nonpublic Information (NPI)

To ensure efficient and effective compliance with many of the sections of 23 NYCRR 500, it’s imperative that organizations have a thorough understanding of the lifecycle of the NPI where they are the custodians – this extends to all identified third party service providers. The ability to apply visual markings and/or metadata allows NPI to be identified, searched, retained and managed by any number of downstream controls.

On March 1, 2019, the two-year transitional period ends and Covered Entities must comply with the requirements of 23 NYCRR 500.11 – Third Party Service Provider Security Policy. 500.11 states “Each Covered Entity shall implement written policies and procedures designed to ensure the security of Information Systems and Nonpublic Information that are accessible to, or held by, Third Party Service Providers.”

Phase Four will essentially require that a third party risk management program be developed or employed to ensure that an accurate inventory of third party service providers be maintained and risk assessments performed on a periodic basis.

Like GDPR, 23 NYCRR 500 is not constrained by location and are global in their jurisdiction. While nuances exist in the scope of each regulation, they have similarities in that they are partially or wholly concerned with the protection of personal information of users, clients and customers. There have been prior regulations that addressed the same scope in various verticals and there is now traction with US state legislatures defining their own (i.e. The California Consumer Privacy Act of 2018, or CCPA) – the trend will continue and organizations will need to address these common requirements one way or another.