Eight years in the making, the final phase of New York’s groundbreaking Cybersecurity Regulation Part 500 amendments take effect Nov. 1 and businesses involved in the financial services sector must be prepared to comply with the new regulations.
New York was the first state in the nation to mandate cybersecurity standards across the financial services sector when the state’s Department of Financial Services instituted Cybersecurity Regulation in 2017.
The regulation required licensed financial institutions to implement comprehensive cybersecurity programs, including written security plans, risk assessments, regular testing for vulnerabilities, management of data accessible to third-party vendors, multi-factor authentication for certain access, incident response plan and annual reports to the state from the organization’s Chief Information Security Officer.
Covered entities must certify compliance annually. Regulated entities include partnerships, corporations, branches, agencies, and associations operating under a license, registration, charter, certificate, permit, accreditation, or similar authorization under the state’s Banking Law, Insurance Law or Financial Services Law.
The regulation was last amended in November of 2023 to protect New York businesses and consumers from cyber threats such as ransomware, extortion and third-party breaches. The state has phased in the amended requirements over the past two years and the last take effect Nov. 1. Those changes include:
- Enhanced Multi-Factor Authentication (MFA) Requirements (Section 500.12): Covered Entities from the Small Business, Standard and Class A categories must comply with enhanced MFA requirements. While SMS prompts qualify, these are more vulnerable and DFS, as well as most security experts, prefer an application-based authentication which uses a number matching challenge or a hardware token.
- Covered entities qualifying for a limited exemption pursuant to Section 500.19(a) – Small Businesses – must still use MFA for remote access to their information systems, remote access to third-party applications and all privileged accounts, other than service accounts that prohibit interactive login.
- All other covered entities must utilize MFA for any individual accessing any information system of a Covered Entity.
- Asset Management (Section 500.13(a)): All covered entities must implement written policies and procedures to maintain a complete, accurate and documented asset inventory of their information systems that includes, among other things, tracking ownership and location. This requirement is, for example, the first security control in the CIS framework and is generally seen as a first step to a managed security program. Unless the organization knows all the systems being used, it is impossible to ensure all the controls required by law are under the organization’s program.
The state also wants automated scans, manual tests, annual reviews and detailed, auditable documentation that proves ongoing compliance and commitment to security and uncovering vulnerabilities. If your business is not there yet, it is time to move.
The state offers a comprehensive set of resources to understand the regulations and training to achieve compliance at its Cybersecurity Resource Center. These are helpful both for the content they contain and, perhaps more importantly, to understand the objectives of DFS to demonstrate compliance with the regulation. Businesses associated with the financial services sector should visit the site to ensure they understand their obligations and take immediate steps with policies and technology to comply.
