In the face of continuously evolving security and geopolitical threats and risks, regulators are doubling down on operational resilience requirements to ensure the stability of financial services institutions, as firms of all stripes seek to accelerate adoption of digital capabilities to enhance their core service offerings.   

Since its introduction in 2017, the Cybersecurity Requirements for Financial Services Companies [New York Department of Financial Services (NYDFS) Official Compilation of Codes, Rules and Regulations (23 NYCRR 500)] has set the benchmark for organizational security standards throughout the US financial sector. Its impact has been felt by most major US financial institutions, particularly given the sector’s concentration in New York state. 

On November 2, 2023, the NYDFS introduced a second amendment to 23 NYCRR 500. The new amendment raises the bar still further by requiring senior governing bodies of financial institutions to proactively monitor their security preparedness and to oversee the implementation of measures that will mitigate current security threats and risks. 

While the changes introduced by this amendment touch on all aspects of cybersecurity risk management, regulators have placed a particular emphasis on incident response and business continuity/disaster recovery (BCDR) planning, testing and governance. The intent is to ensure that each covered entity remains able to provide consistent services, with even greater responsibilities of the largest organizations to implement controls to increase stability of the financial sector.  

Digging Into the Updated Security Requirements for Covered Entities

The recent amendment defines a series of requirements that Chief Information Security Officers (CISOs) are responsible for executing, on at least an annual basis, with more frequent risk remediation efforts required when material risks are introduced by changes or updates to systems and processes.  These new (or newly annual) activities include:

• Covered entities must conduct, at a minimum, annual security risk assessments – inclusive of internal and external penetration tests – as well as when a material change is made to the covered entity’s cyber risk. The results of these assessments will become inputs for other requirements.
  
• Reviews, updates to, and approvals of cybersecurity policies by a senior officer or the covered entity’s senior governing body. 
• Reviews of all user access privileges and tightening of controls over privileged user activities. 
• Reviews, assessments, and updates of procedures, guidelines and standards related to secure development practices and testing of externally developed applications.
• Reviews of compensating controls for systems not protected by multi-factor authentication.
• Reviews and testing of its incident response and BCDR plans, as well as its ability to restore its critical data and information systems from backups.
• Security awareness training updated to identify organizational security threats and risks, which must include social engineering.
• Reviews and updates to feasibility of encryption of non-public information and effectiveness of compensating controls.

In addition to these annual requirements, new language was adding expanding or clarifying many of the regulation’s more general policy and technical cybersecurity requirements. Covered entities must, among other requirements:

• Ensure that cybersecurity policies cover data retention, remote access, and security awareness and training.
  
• Implement multi-factor authentication (MFA) across systems that process non-public information (NPI).
  • When MFA is not feasible, the CISO must sign off on exceptions, which must include “reasonably equivalent or more secure compensating controls”.
• Maintain a vulnerability management program, including penetration testing, vulnerability scanning, and monitoring and remediation procedures to promptly identify and resolve security vulnerabilities.
• Maintain an Incident response and reporting capability to identify indicators of compromise, quickly determine whether the security event poses a material impact on normal operations or if the event involves ransomware deployment, and report the incident to the superintendent via the NYDFS website within 72 hours of the incident’s occurrence.  
• Implement protections against malicious code, including monitoring and filtering of web traffic and blocking of malicious email content.
• Maintain and update asset inventories, defining asset classification and sensitivity, recovery time objectives, support expiration dates, and record retention and disposal standards.
  
  

New Class of Covered Entities

As part of the amendment, the NYDFS also introduced a new category of covered entity, referred to as a Class A Company. This is defined as an entity, along with its affiliates over each of the last two fiscal years has:

1. At least $20 million in gross annual revenues from business operations, within the state of New York
2. Over 2,000 employees (regardless of location) OR over $1 billion in gross annual revenue globally.

[The definition of affiliates used in calculating number of employees and gross annual revenue only includes entities that share information systems, cybersecurity resources, or any part of a cybersecurity program with the covered entity.]

In addition to the core cybersecurity program requirements above, Class A Companies must also implement solutions for:

• Designing and conducting independent audits of cybersecurity programs
  
• Endpoint detection and response
• Central security logging and event management
• Privileged access management (PAM).
  
  

Cybersecurity Program Governance

Under the revised regulation, a covered entity’s senior governing body will be accountable for ensuring that the CISO’s security plans and initiatives will sufficiently protect the firm, in accordance with its regulatory requirements. The senior governing body must ensure that the CISO is equipped with adequate resources to manage initiatives and implement controls to meet the covered entity’s security objectives. 

They must receive, review and take action (as necessary) on management reports about cybersecurity matters relevant to exercising this oversight, and to remain informed of the covered entity’s risk posture and the effectiveness of the program. To meet these obligations, the senior governing body must include participants who have “sufficient understanding of cybersecurity-related matters to exercise such oversight, which may include the use of advisors”. 

A Timetable for Compliance

With so much to do, covered entities should get started as soon as possible to identify and remediate security program gaps necessary to comply with the updated cybersecurity regulation. NYDFS has defined an 18 to 24 month timetable from the release of the amended regulation for covered entities to implement these updated requirements. 

• December 1, 2023 – The 72-hour incident reporting requirement went into effect.
  
• April 15, 2024 – Covered entities should submit either Certification of Material Compliance or Acknowledgment of Noncompliance for calendar year 2023.
• April 29, 2024 – Annual security risk assessments (including penetration tests) and policy updates should be complete.
• November 1, 2024 – Cybersecurity program governance and data encryption practices should be fully operational.
• November 1, 2025 – Covered entities must complete the deployment of multi-factor authentication and must be able to produce complete and accurate asset inventories.
  
  

Conclusion

If your firm operates in New York, you should review the NYDFS Cybersecurity Regulation site to see if you qualify as a covered entity and whether you may be eligible for any type of exception.

Second, examine your internal cybersecurity capabilities to determine how much change the organization might need to make to align with the amended requirements. Develop a prioritized roadmap to close the gaps in accordance with NYDFS’ defined compliance deadlines.  

As part of the planning process, determine whether you have adequate resources to implement the changes and develop a staffing plan for implementation and ongoing management of enhanced controls.  Many firms choose to employ consultants to facilitate the temporary efforts to conduct preliminary assessments, to develop strategic plans and to implement tactics and controls. 

Once the transition to business-as-usual operations, these firms can reduce their labor pool to a more manageable and budget-friendly level.   

Capco partners with financial services firms to design and build security and privacy solutions aligned to each firm’s unique business conditions and regulatory requirements. Whether your organization needs strategic security program guidance or tactical solutions support to meet existing obligations and mandates, Capco specializes in solving business, data, and security imperatives across the financial sector.