1.
23 NYCRR Part 500
Cybersecurity
Regulations
New York Department of
Financial Services
Shawn Tuma
Cybersecurity & Data Privacy Attorney
Direct: 214.472.2135
Mobile: 214.726.2808
Email: shawn.tuma@solidcounsel.com
Blog: www.shawnetuma.com
Download Slides: www.shawnetuma.com/presentations/

2.
Introduction
• Cybersecurity threat is ubiquitous.
• New York is a major international financial hub.
• New York Department of Financial Services (DFS)
Developed Cybersecurity Requirements for
Financial Services Companies.
NEW YORK DEPARTMENT OF FINANCIAL SERVICES
CYBERSECURITY REGULATIONS

3.
Key dates for
Covered Entities
March 1, 2017 Law becomes effective
August 28, 2017 Must be in compliance with cybersecurity program
(Section 500.12), cybersecurity policy (500.03), chief
information security officer (500.04(a)), access
privileges (500.07), cybersecurity personnel and
intelligence (500.10); and incident response plan
(500.16)
September 27, 2017 Deadline for filing Notices of Exemption under 23
NYCRR 500.19(e)
February 15, 2018 Deadline for Covered Entities to submit first
certification under 23 NYCRR 500.17(b)
March 1, 2018 One year transition period ends, must be in
compliance with chief information security officer
reporting to the board of directors (500.04(b)),
penetration testing and vulnerability assessments
(500.05), risk assessments (500.09), multi-factor
authentication (500.12), and cybersecurity
awareness training (500.14(a)(2))
September 3, 2018 Eighteen month transition period ends, must be in
compliance with audit trails (500.06), application
security (500.08), data retention (500.13), policies
and procedures to monitor the activity of authorized
users (500.14(a)(1)), and encryption (500.15)
March 1, 2019 Two year transition period ends, must be in
compliance with third-party service provider security
policy (500.11)
NEW YORK DEPARTMENT OF FINANCIAL SERVICES
CYBERSECURITY REGULATIONS

4.
Which
businesses are
impacted?
• The Cybersecurity Regulations can impact
businesses globally, even if they do not do
business in New York.
• Apply directly to any Covered Entity.
• Apply indirectly to Third Party Service Provider(s)
of the Covered Entity, through requirements on
the Covered Entity to do business with the Third
Party Service Provider.
NEW YORK DEPARTMENT OF FINANCIAL SERVICES
CYBERSECURITY REGULATIONS

5.
Which
businesses are
impacted?
• Covered Entity means any Person operating under
or required to operate under a license,
registration, charter, certificate, permit,
accreditation or similar authorization under the
Banking law, the Insurance Law or the Financial
Services Law.
• Person is any non-governmental entity.
• Covered Entities include these doing business in NY:
• Banks and trust companies
• Credit unions
• Foreign bank branches
• Licensed lenders
• Health insurers
• Life insurance companies
• Property and casualty
• Insurance companies
• Licensed agents & brokers
• Savings and loan
associations
• Bail bond agents
• Budget planners
• Charitable foundations
• Check cashers
• Holding companies
• Investment companies
• Money transmitters
• New York State Regulated
Corporations
• Service Contract Providers
(198 on website lookup)
NEW YORK DEPARTMENT OF FINANCIAL SERVICES
CYBERSECURITY REGULATIONS

6.
Which
businesses are
impacted?
Exemptions – These Covered Entities are exempt
from all, or designated parts of Cybersecurity
Regulations, but must file for exemption:
• Exemption from certain sections is available to
Covered Entities with:
• Fewer than 10 employees, including independent
contractors, of the CE or its Affiliates located in NY or
responsible for business of the CE;
• Less than $5,000,000 in gross annual revenue in each
of the last three fiscal years from New York business
operations of the CE and its Affiliates; or
• Less than $10,000,000 in year-end total assets,
calculated in accordance with generally accepted
accounting principles, including assets of all
Affiliates.
• An employee, agent, representative or designee of a
CE covered under its cybersecurity program.
• A CE that has no Information System or Nonpublic
Information and is not required to, exempt from
certain sections.
• Additional discrete exemptions.
NEW YORK DEPARTMENT OF FINANCIAL SERVICES
CYBERSECURITY REGULATIONS

7.
Which
businesses are
impacted?
• Third Party Service Provider(s) means “a Person that (i) is
not an Affiliate of the Covered Entity, (ii) provides
services to the Covered Entity, and (iii) maintains,
processes or otherwise is permitted access to Nonpublic
Information through its provision of services to the
Covered Entity.
• Nonpublic Information is all electronic information that
is not publicly available and is sensitive business
information of the Covered Entity, sensitive identifying
information of an individual, or health care related
information of an individual.
• Section 500.11 requires a Covered Entity to ensure its
Information Systems and Nonpublic Information are
secured when accessed by or entrusted to TPSPs by risk
assessments, written policies and procedures,
contractual protections, representations and warranties,
due diligence, and periodic assessments of the TPSP for
adequacy.
NEW YORK DEPARTMENT OF FINANCIAL SERVICES
CYBERSECURITY REGULATIONS

8.
What do the
Cybersecurity
Regulations
require,
generally?
They provide an outline of essential minimum
standards, designate who should lead the process,
and mandate top down buy-in by management and
the Board of Directors:
1. Each Covered Entity must assess its unique risk
profile and design a program that addresses its
risks in a robust fashion.
2. Each Covered Entity must designate a qualified
individual to serve as its Chief Information Security
Officer responsible for overseeing and
implementing its cybersecurity program.
3. Report “cybersecurity events” -- (a) data breaches
requiring reporting, and (b) unsuccessful attacks
that had a reasonable likelihood of materially
harming material operations.
4. Each Covered Entity’s senior management must
be responsible for its cybersecurity program and
file an annual certification confirming compliance
with the Cybersecurity Regulations.NEW YORK DEPARTMENT OF FINANCIAL SERVICES
CYBERSECURITY REGULATIONS

9.
Cybersecurity
Program
Section 500.02
“Each Covered Entity shall maintain a cybersecurity
program designed to protect the confidentiality,
integrity and availability of the Covered Entity’s
Information Systems.”
• Shall be based on its Risk Assessment and
designed to perform these core functions:
• Identify and assess internal and external risks;
• Use defensive infrastructure and policies and
procedures to protect IS and NPI from unauthorized
access, use, or malicious acts;
• Detect Cybersecurity Events;
• Respond to identified or detected Cybersecurity
Events and mitigate negative effects;
• Recover from Cybersecurity Events and restore
normal operations and services; and
• Fulfill applicable regulatory reporting obligations.
• Keep documentation; May adopt Affiliate’s CP.NEW YORK DEPARTMENT OF FINANCIAL SERVICES
CYBERSECURITY REGULATIONS

10.
Cybersecurity
Policy
Section 500.03
“Each Covered Entity shall implement and maintain a
written policy or policies, approved by a Senior Officer or
the Covered Entity’s board of directors … setting forth the
Covered Entity’s policies and procedures for the protection
of its” IS and NPI.
• Shall be based on its Risk Assessment and address these
areas, as applicable:
• Information security
• Data governance and classification
• Asset inventory and device management
• Access controls and identity management
• Business continuity and disaster recovery planning and
resources
• Systems operations and availability concerns
• Systems and network security
• Systems and network monitoring
• Systems and application development and quality assurance
• Physical security and environmental controls
• Customer data privacy
• Vendor and Third Party Service Provider management
• Risk assessment; and
• Incident response
NEW YORK DEPARTMENT OF FINANCIAL SERVICES
CYBERSECURITY REGULATIONS

11.
Chief
Information
Security Officer
Section 500.04
“Each Covered Entity shall designate a qualified individual
responsible for overseeing and implementing the Covered
Entity’s cybersecurity program and enforcing its
cybersecurity policy….”
• CISO may be employee of CE or Affiliate, or
• May use Third Party Service Provider, but CE shall
• Retain responsibility for compliance; designate senior member of CE’s
personnel responsible for direction and oversight; and Require Third
Party Service Provider to maintain compliant Cybersecurity Program.
The CISO shall report in writing at least annually to the
CE’s board of directors (or equivalent) on CE’s
cybersecurity program and material cybersecurity risks,
considering as applicable:
• The confidentiality of NPI, integrity and security of IS;
• CE’s cybersecurity policies and procedures;
• CE’s material cybersecurity risks;
• Overall effectiveness of the CE’s cybersecurity program;
and
• Material Cybersecurity Events involving the CE.NEW YORK DEPARTMENT OF FINANCIAL SERVICES
CYBERSECURITY REGULATIONS

12.
Penetration
Testing and
Vulnerability
Assessments
Section 500.05
“The cybersecurity program for each Covered Entity shall
include monitoring and testing, developed in accordance
with the Covered Entity’s Risk Assessment, designed to
access the effectiveness of the Covered Entity’s
cybersecurity program.”
Monitoring and testing shall include
• Continuous monitoring (or equivalent to detect ongoing
changes to IS), or
• Periodic Penetration Testing and vulnerability
assessments, as well as:
• Annual Penetration Testing based on Risk Assessment; and
• Bi-annual vulnerability assessments that include systemic
scans or reviews to identify publicly known vulnerabilities,
based on the Risk Assessment.
NEW YORK DEPARTMENT OF FINANCIAL SERVICES
CYBERSECURITY REGULATIONS

13.
Audit Trail
Section 500.06
Covered Entities shall maintain systems that:
• Are designed to reconstruct material financial
transactions sufficient to support normal operations and
obligations of the CE; and
• Maintain these for 5 years.
• Include audit trails designed to detect and respond to
material Cybersecurity Events.
• Maintain these for 3 years.
NEW YORK DEPARTMENT OF FINANCIAL SERVICES
CYBERSECURITY REGULATIONS

14.
Access Privileges
Section 500.07
Covered Entity’s cybersecurity program shall limit
user access privileges to IS that provide access to
NPI and shall periodically review such access
privileges.
NEW YORK DEPARTMENT OF FINANCIAL SERVICES
CYBERSECURITY REGULATIONS

15.
Application
Security
Section 500.08
Covered Entity’s cybersecurity program shall
include,
• Written procedures, guidelines and standards to
ensure the use of secure development practices
for in-house developed applications utilized by
the CE; and
• Procedures for evaluating, assessing or testing
the security of externally developed applications
utilized by the CE in its technology environment.
• All such procedures, guidelines and standards
shall be periodically reviewed, assessed and
updated by the CISO.
NEW YORK DEPARTMENT OF FINANCIAL SERVICES
CYBERSECURITY REGULATIONS

16.
Risk Assessment
Section 500.09
“Each Covered Entity shall conduct a periodic Risk
Assessment of the Covered Entity’s Information Systems
sufficient to inform the design of the cybersecurity
program ….” Shall …
• Update as reasonably necessary to address changes in
its IS, NPI, or business operations.
• Allow for revision of controls to respond to technological
developments and evolving threats and consider
particular risks of CE’s business operations, NPI collected
or stored, IS utilized, and effectiveness of controls to
protect NPI / IS.
• Carry out in accordance with written policies and
procedures and be documented, including:
• Criteria for evaluation and categorization of identified
cybersecurity risks or threats facing CE;
• Criteria for assessing the confidentiality, integrity,
security, and availability of IS / NPI, adequacy of existing
controls concerning identified risks; and
• Describe how identified risks will be mitigated or
accepted based on the Risk Assessment and how the
cybersecurity program will address the risks.
NEW YORK DEPARTMENT OF FINANCIAL SERVICES
CYBERSECURITY REGULATIONS

17.
Cybersecurity
Personnel and
Intelligence
Section 500.10
In addition to CISO, CEs shall
• Have qualified cybersecurity personnel to
manage its cybersecurity risks, perform services
or oversee performance of cybersecurity
program;
• Provide cybersecurity personnel with appropriate
updates and training; and
• Verify that key cybersecurity personnel take steps
to maintain current knowledge of changing
cybersecurity threats and countermeasures.
• CE may use Affiliate or TPSP for this.
NEW YORK DEPARTMENT OF FINANCIAL SERVICES
CYBERSECURITY REGULATIONS

18.
Third Party
Service Provider
Security Policy
Section 500.11
“Each Covered Entity shall implement written policies and
procedures designed to ensure the security of Information
Systems and Nonpublic Information that are accessible to,
or held by, Third Party Service Providers.”
• P&P should be based on CE’s Risk Assessment and
address the following, as applicable:
• The identification and risk assessment of TPSPs;
• Minimum CP required by TPSP to do business with CE;
• Due diligence process used to evaluate the adequacy of
CP by such TPSP;
• Periodic assessment of such TPSP based on risk they
present and continued adequacy of their CP.
• P&P shall include relevant guidelines for due diligence
and/or contractual protections relating to TPSP and
applicable guidelines addressing:
• TPSP’s P&P for access controls and MFA to IS / NPI
• TPSP’s P&P for use of encryption in transit and at rest;
• Notice to be provided to CE for Cybersecurity Event; and
• Reps and warranties addressing TPSP’s cybersecurity P&P
NEW YORK DEPARTMENT OF FINANCIAL SERVICES
CYBERSECURITY REGULATIONS

19.
Multi-Factor
Authentication
Section 500.12
• Based on its Risk Assessment, CE shall use
effective controls, which may include MFA or
Risk-Based Authentication, to protect against
unauthorized access to NPI or IS.
• MFA shall be utilized for any individual accessing
the CE’s internal networks from an external
network, unless CE’s CISO has approved in writing
the use of reasonably equivalent or more secure
access controls.
NEW YORK DEPARTMENT OF FINANCIAL SERVICES
CYBERSECURITY REGULATIONS

20.
Limitations on
Data Retention
Section 500.13
• As part of its cybersecurity program, each CE shall
include policies and procedures for the secure
disposal on a periodic basis of any NPI no longer
needed,
• Unless such NPI is required to be retained or
targeted disposal is not reasonably feasible.
NEW YORK DEPARTMENT OF FINANCIAL SERVICES
CYBERSECURITY REGULATIONS

21.
Training and
Monitoring
Section 500.14
As part of its cybersecurity program, CEs shall:
• “implement risk-based policies, procedures and
controls designed to monitor the activity of
Authorized Users and detect unauthorized access
or use of, or tampering with, Nonpublic
Information by such Authorized Users;” and
• “provide regular cybersecurity awareness training
for all personnel that is updated to reflect risks
identified by the Covered Entity in its Risk
Assessment.”
NEW YORK DEPARTMENT OF FINANCIAL SERVICES
CYBERSECURITY REGULATIONS

22.
Encryption of
Nonpublic
Information
Section 500.15
As part of its cybersecurity program, based on its
Risk Assessment, CEs shall implement controls,
including encryption, to protect NPI held or
transmitted by the CE both in transit over external
networks and at rest.
• CE may use effective alternate compensating
controls reviewed and approved by its CISO if it
determines it is infeasible to use,
• Encryption of NPI in transit over external networks;
or
• Encryption of NIP at rest.
• CISO must review this feasibility determination at
least annually.
NEW YORK DEPARTMENT OF FINANCIAL SERVICES
CYBERSECURITY REGULATIONS

23.
Incident
Response Plan
Section 500.16
As part of its cybersecurity program, CE shall
establish a written incident response plan designed
to promptly respond to, and recover from, any
material Cybersecurity Event.
• It shall address:
• Internal processes for responding;
• Goals of the IRP;
• Definition of clear roles, responsibilities and levels of
decision-making authority;
• External and internal communications and
information sharing;
• Identification of requirements for the remediation
of any identified weaknesses in the IS and
associated controls;
• Documentation and reporting regarding
Cybersecurity Events and related incident response
activities; and
• Evaluation and revision of IRP following a
Cybersecurity Event.
NEW YORK DEPARTMENT OF FINANCIAL SERVICES
CYBERSECURITY REGULATIONS

24.
Notices to
Superintendent
Section 500.17
2 types of Notices are required:
• Event notification: CE shall notify the superintendent
as promptly as possible but in no event later than 72
hours from a determination that a Cybersecurity
Event has occurred that either:
• Impacts the CE and require notice to be provided to any
government body, self-regulatory agency, or any other
supervisory body; or
• Has a reasonable likelihood of materially harming any
material part of the CE’s normal operations.
• Annual reporting: On February 15 of each year, CE
shall provide the written statement (App. A) for the
prior year certifying compliance with these
Regulations:
• Signed by Senior Officer or Chairman of Board;
• Maintain for 5 years for examination, all records,
schedules and data supporting certification;
• Where deficiencies identified requiring improvement,
shall document current and future efforts to remediate.
NEW YORK DEPARTMENT OF FINANCIAL SERVICES
CYBERSECURITY REGULATIONS

25.
Enforcement
Section 500.20
“This regulation will be enforced by the
superintendent pursuant to, and is not intended to
limit, the superintendent’s authority under any
applicable laws.”
The New York Department of Financial Services has
very broad authority to investigate civil matters
and, through its Criminal Investigations Bureau,
criminal matters as well.
NEW YORK DEPARTMENT OF FINANCIAL SERVICES
CYBERSECURITY REGULATIONS

26.
FAQ’s &
Slides
Frequently Asked Questions:
http://www.dfs.ny.gov/about/cybersecurity_faqs.htm
Download Slides:
www.shawnetuma.com/presentations/
NEW YORK DEPARTMENT OF FINANCIAL SERVICES
CYBERSECURITY REGULATIONS

27.
• Board of Directors & General Counsel, Cyber Future Foundation
• Board of Advisors, North Texas Cyber Forensics Lab
• Policy Council, National Technology Security Coalition
• Cybersecurity Task Force, Intelligent Transportation Society of America
• Practitioner Editor, Bloomberg BNA – Texas Cybersecurity & Data Privacy Law
• Cybersecurity & Data Privacy Law Trailblazers, National Law Journal (2016)
• SuperLawyers Top 100 Lawyers in Dallas (2016)
• SuperLawyers 2015-17
• Best Lawyers in Dallas 2014-17, D Magazine (Cybersecurity Law)
• Council, Computer & Technology Section, State Bar of Texas
• Privacy and Data Security Committee of the State Bar of Texas
• College of the State Bar of Texas
• Board of Directors, Collin County Bench Bar Conference
• Past Chair, Civil Litigation & Appellate Section, Collin County Bar Association
• Information Security Committee of the Section on Science & Technology Committee
of the American Bar Association
• North Texas Crime Commission, Cybercrime Committee & Infragard (FBI)
• International Association of Privacy Professionals (IAPP)
Shawn Tuma
Cybersecurity & Data Privacy Attorney
Scheef & Stone, L.L.P.
Direct: 214.472.2135
Mobile: 214.726.2808
shawn.tuma@solidcounsel.com
@shawnetuma
blog: www.shawnetuma.com
web: www.solidcounsel.com