Blog Compliance 23 NYCRR 500: What Startups Need to Know November 5, 2020 Oro If you are (or are working with) a financial institution operating in New York, listen up. The New York Department of Financial Services (NYDFS) recently introduced 23 NYCRR 500, legislation that defines how financial companies protect sensitive consumer information. And, chances are, you need to comply with it—for good reason: cybersecurity matters now more than ever. Just last year, Verizon analyzed 41,686 security events; 2,013 of those were confirmed data breaches. They discovered that 71% of those cyberattacks were motivated by financial gain. It’s no wonder that, in this age of data breaches and security leaks, states are stepping up to protect consumer information. New York is one of the latest to establish cybersecurity regulations for financial businesses and their vendors. What Is 23 NYCRR 500? 23 NYCRR 500, otherwise knows as the NYDFS Cybersecurity Regulation, establishes compliance standards for certain financial institutions operating in the state of New York. (Does my startup have to comply with 23 NYCRR 500? Skip to the next section to find out.) This legislation sets standards for financial institutions’ cybersecurity programs. It requires companies to assess their risks and protect their information systems, and it details the response for security events. Ultimately, the legislation aims to protect sensitive, nonpublic information, especially personally identifiable information (PII) that could be used to identify a consumer. This is intended to prevent identity theft and exploitation based on exposed PII, like social security numbers, bank account information, etc. The NYDFS started rolling out the Cybersecurity Regulation in 2017. The department did so in staggered phases, requiring key compliance requirements by certain deadlines, until full implementation in March 2019. That means time’s up! As of now, covered entities must adhere to all demands of the legislation to be in compliance with the NYDFS. It’s the law. Does My Startup Have to Comply with 23 NYCRR 500? Does your financial startup need a NYDFS license to operate? If so, then you probably need to comply with the NYDFS Cybersecurity Regulation. The NYDFS regulates financial services such as: Life insurance companies Holding companies Private bankers Mortgage companies Credit unions Foreign agencies Licensed lenders Service providers All of the above, and more, need to be compliant with the NYDFS Cybersecurity Regulation in order to legally do business in New York. Recommended for you Founder’s Guide: The Right Compliance Framework for Your Startup The burden is on founders to understand the use cases and benefits of each compliance type to make an informed decision. Here’s how you can cut through the vague and verbose legal speak to do just that. Get the founders guide icon-arrow-long What If My Startup Isn’t Regulated By NYDFS? If you plan on working with financial companies in New York, chances are you’ll still need to be compliant. The NYDFS Cybersecurity Regulation applies if you work as a third-party vendor, providing critical services to financial companies under NYDFS authority. That is, unless you meet any of the following criteria: Employ fewer than 10 people (independent contractors included) Made under $5 million in gross annual revenue in each of the last three fiscal years Have less than $10 million in year-end total assets Don’t work directly or indirectly with any information systems or nonpublic information These exemptions apply to the financial services listed above as well as to third-party vendors. What If I Operate Outside of New York? Even though the NYDFS regulations cover entities specific to New York, financial companies that operate outside the state might have to comply with similar rules. For example, the National Association of Insurance Commissioners (NAIC) created a model for cybersecurity regulation based on the rules set by the NYDFS. Already, South Carolina, Ohio, Michigan, Alabama, Delaware, Connecticut, and New Hampshire have passed regulations following the NYDFS’s lead, and more states are expected to follow suit. If you work outside of New York, it’s not a bad idea to contact your state department to make sure your startup is compliant. What Happens If I Don’t Comply? Don’t risk it! If you fail to comply with the NYDFS Cybersecurity Regulation, you’re in violation of New York State law. That said, the NYDFS has yet to specify exactly what the punishment entails. If it’s anything like what happens if you violate New York Banking Law, your fines could range from $2,500 to $75,000 per day, depending on the severity of your misstep. What Do I Need to Do to Comply with 23 NYCRR 500? Under the NYDFS Cybersecurity Regulation, you will need to design IT policies and procedures that mitigate risk as well as meet rigorous breach-reporting requirements. To comply, you’ll need to do the following: Designate a Chief Information Security Officer (CISO) This qualified person is responsible for overseeing the cybersecurity program and maintaining employee compliance. Conduct regular risk assessments These assessments home in on internal and external threats (malware, fraud schemes, etc.) so you can design a security program that protects against them. You will need to complete an assessment periodically, and whenever you make significant changes to your systems or business operations. Design an approved cybersecurity policy Based on your risk assessment, you’ll need to create a policy and get it approved by your CISO or by an external reviewer. Your policy will need to address: Information security Customer data privacy System and network security Vendor and third-party data governance and security Provider management and access controls Business continuity and disaster recovery planning You will also need to develop an incident response plan that enables your team to send out breach notifications within 72 hours. Implement a cybersecurity program This program puts into place the practices identified in your cybersecurity policy, along with: Data encryption Data retention, including how PII is disposed of Audit trails that document detected threats and responses over at least five years Access privileges, controlling and monitoring who can access your information systems and when Other security measures, such as multifactor authentication Test your third-party vendors You’ll need to define information security measures and write a policy for your third-party service providers to follow. This policy includes a third-party vendor risk assessment, security requirements, evaluations, and assessments. The NYDFS Cybersecurity Regulation also requires that you regularly test and evaluate how well your vendors perform and follow cybersecurity controls. Comply with the NYDFS reporting and testing To make sure you’re following regulations, the NYDFS requires companies to send in annual written reports. These reports detail your security processes and procedures as well as conduct annual penetration tests and biannual vulnerability assessments. Learn more about what’s required under 23 NYCRR 500 here. How Do I Get Started with 23 NYCRR 500? If you’re not in compliance and should be, or if your startup recently fell under the authority of the NYDFS, follow these steps to get on the right path. Determine Whether Your Startup Is Exempt Your first step is to figure out whether your startup is exempt from the NYDFS Cybersecurity Regulation. If you are, follow these instructions to file your exemption. You can use the [above overview](anchor link) as a guide. When in doubt, contact the NYDFS. Take the First Steps If you fall under the authority of the NYDFS and need to become compliant, start by assigning a CISO and organizing a compliance team. You can build your team from the expertise that already exists within your company, though many startups will need to look elsewhere. With your team in place, you’ll need to conduct a risk assessment, implement necessary controls, and submit your first annual Certification of Compliance to the NYDFS. To stay compliant, you’ll need to report all “material” cyber events, as well as renew your risk assessment and resubmit your certification every year. Enlist Expert Help Startups and small businesses have to comply with the same the NYDFS standards as large, established companies. It’s not easy to translate requirements for early-stage teams or dedicate internal resources to becoming compliant. That’s why we recommend seeking external expertise, especially in the beginning. Thoropass, for example, guides you through the process of becoming 23 NYCRR 500 compliant in less time with fewer dedicated resources. We help you conduct a risk assessment and determine what controls you need to fulfill NYDFS requirements. Instead of scrambling to understand what’s needed, we tell you exactly what you need to implement, in what order, and how, so you can focus on your customers and business. Compliance Isn’t Just about Following the Law Making sure you comply with the NYDFS Cybersecurity Regulation will help you do more than avoid costly fines. The risk analysis and security controls you implement in becoming compliant signal to your customers that you take their protection seriously. More customers, particularly the enterprise businesses that you need to grow upmarket, expect a stringent level of information security. Savvy startups use this expectation to their advantage. They bring compliance into their marketing and sales messaging and leverage it as a way to stand out from the competition. Complying with the NYDFS isn’t just about following the law; it’s about making sure you do the best for your customers and your business. Share this post with your network: Facebook Twitter LinkedIn