IT Service Provider Requirements Under NY DFS 23 NYCRR 500

Guest Contributor - Tom Cornelius (Senior Partner, ComplianceForge)

The impact of New York Department of Financial Services (NY DFS) 23 NYCRR Part 500, Cybersecurity Requirements for Financial Services Companies, affects both financial services and technology companies on a global scale, based on the far-reaching requirements that expand beyond the borders of New York state.

Too Long / Didn’t Read (TL/DR): NY DFS 23NYCRR500 creates legal jeopardy for executives of both financial institutions and technology service providers. This regulation has significant requirements that hold both cybersecurity and business leadership accountable through annual attestation requirements:

• Cybersecurity governance practices must be aligned with a nationally-recognized cybersecurity framework;
• Maintain sufficient evidence of due diligence and due care practices;
• Annual requirements to test incident response and business continuity capabilities;
• Annual risk assessments; and
• Annual conformity assessments (large organizations require independent assessments).

What Companies Must Comply With NY DFS 23NYCRR Part 500?

NY DFS casts a wide net for entities that must comply with 23 NYCRR 500, since it not only includes financial institutions, but technology service providers. These Covered Entities (CE) must comply with this NY DFS regulation that governs cybersecurity practices. Examples of financial institutions that must comply with 23 NYCRR 500 include any of the following that have a presence in of New York state:

• Banks:
  • State-chartered banks;
  • Commercial banks;
  • Savings banks;
  • Foreign banks;
  • Private banks;
• Credit unions;
• Trust companies;
• Virtual currency firms;
• Insurance companies;
• Mortgage brokers and lenders;
• Health Maintenance Organizations (HMOs);
• Continuing Care Retirement Communities (CCRCs); and
• Other entities licensed or registered by the NYDFS.

Are Third-Party Service Providers Required To Comply With NY DFS 23NYCRR500?

Yes. Section 500.4 requires third-party service providers to “maintain a cybersecurity program that protects the CE in accordance with the requirements.” This means that third-party service providers must be able to demonstrate conformity with NY DFS 23NYCRR500 requirements for its own cybersecurity governance practices.

According to NY DFS, a third-party service provider means an individual or entity that:

• Is not an affiliate of the CE;
• Is not a governmental entity;
• Provides services to the CE; and
• Maintains, processes or otherwise is permitted access to Non-Public Information (NPI) through its provision of services to the covered entity.

Third-party service providers that must comply with NY DFS 23 NYCRR500 include, but are not limited to:

• Managed Service Providers (MSP);
• Managed Security Services Providers (MSSP);
• Technology integrators; and
• Any entity that has access to a CE’s systems and/or data.

Furthermore, Section 500.10 requires that third-party service provider to utilize “qualified cybersecurity personnel” sufficient to:

• Manage the CE’s cybersecurity risks; and
• Perform, or oversee, the performance of the core cybersecurity functions specified in the regulation.

How Does A Covered Entity (CE) Ensure Third-Party Service Providers Are Compliant?

NY DFS emphasizes the importance of a thorough due diligence process in evaluating the cybersecurity practices of a CE’s third-party service providers. Per the NY DFS Cybersecurity Resource Center, a self-attestation by a third-party service provider is not adequate due diligence. Therefore, CE must:

• Assess the risks each third-party service provider poses to their:
  • NPI; and
  • Systems/services; and
• Effectively address those risks.

Does The CISO Have To Attest To Being Compliant Each Year?

Yes. There are both internal and external attestation requirements in NY DFS 23NYCRR500.

Internal Attestation To The Board of Directors or Governing Body

Section 500.4(b) requires the Chief Information Security Officer (CISO) of each CE to report in writing at least annually to the CE’s Board of Directors (BoD) or equivalent senior governing body. If the CE does not have a BoD, or equivalent governing body, the CISO must present the report to the senior officer of the CE who is overall responsible for the CE’s cybersecurity program.

The CISO’s report on the CE’s cybersecurity program and material cybersecurity risks must cover the following topics, to the extent applicable:

• The confidentiality of Non-Public Information (NPI);
• The integrity and security of the CE’s information systems;
• The CE’s cybersecurity policies and procedures;
• Applicable material cybersecurity risks;
• The overall effectiveness of the CE’s cybersecurity program;
• Material cybersecurity events involving the CE during the time period addressed by the report; and
• Plans for remediating material inadequacies.

It is important to point out that Section 500.4(a) allows the CISO to be an employee of:

• The CE;
• One of the CE’s affiliates; or
• A third-party service provider (e.g., virtual CISO).

External Attestation To The Superintendent of NY DFS

Section 500.17 requires the CE to submit a written statement to through the NY DFS Portal by April 15th of each year that the CE:

• Materially complied with the requirements during the prior calendar year that is based upon data and documentation sufficient to accurately determine and demonstrate such material compliance, including, to the extent necessary:
  1. Documentation of officers, employees, representatives, outside vendors and other individuals or entities; and
  2. Documentation, whether in the form of reports, certifications, schedules or otherwise; or
• Acknowledges that, for the prior calendar year, the covered entity did not materially comply with all the requirements that:
  1. Identifies all sections that the CE has not materially complied with and describes the nature and extent of such noncompliance; and
  2. Provides a remediation timeline or confirmation that remediation has been completed.

Instructions on how to submit a “certification of material compliance for entities pursuant to 23 NYCRR Part 500.17(b)(1)(i)” are available on the NY DFS website.

Is NY DFS 23NYCRR500 A “One Size Fits All” Approach To Compliance?

No. Per Section 500.20(c)(15), while DFS expects CEs to use a “nationally recognized cybersecurity framework” to align its cybersecurity governance practices, including its policies and procedures (e.g., NIST CSF, SCF, ISO 27001, CIS, etc.) there are caveats, based on organization size:

NY DFS NYCRR500 – Large Entity Additional Requirements (Class A Companies)

For CEs with significant revenue and/or personnel headcount, there are additional requirements. Section 500.1(d) defines a “Class A Company” as a CE with at least $20,000,000 in gross annual revenue in each of the last two fiscal years from all business operations of the CE (including its affiliates) in New York and:

• Over 2,000 employees averaged over the last two fiscal years, including employees of both the CE and its affiliates, no matter where located; or
• Over $1,000,000,000 in gross annual revenue in each of the last two fiscal years from all business operations of the CE and its affiliates, no matter where located.

Section 500.2(c) requires Class A Companies to “design and conduct independent audits of its cybersecurity program based on its risk assessment.”

NY DFS 23NYCRR500 – Small Entity Exemptions

For CEs with smaller revenue and/or personnel headcount, there are exceptions to the requirements. Section 500.19 offers limited exemptions for smaller CEs, based on the following criteria:

• Fewer than 20 employees and independent contractors of the CE and its affiliates.
• Less than $7,500,000 in gross annual revenue in each of the last three fiscal years from all business operations of the CE and the business operations in NY of the CE’s affiliates; or
• Less than $15,000,000 in year-end total assets, calculated in accordance with generally accepted accounting principles, including assets of all affiliates.

For CEs that meet that criteria, the CE is exempt from sections 500.4, 500.5, 500.6, 500.8, 500.10, 500.14(a)(1), (a)(2), and (b), 500.15 and 500.16 of NY DFS 23NYCRR500.

Resources To Help Demonstrate Conformity With NY DFS 23NYCRR500 Requirements

Due to the legal exposure to CEs and third-party service providers, it is advisable to obtain independent assessments. The Secure Controls Framework (SCF) has a Conformity Assessment Program (CAP) that provides a capability to obtain a third-party certification to demonstrate conformity with NY DFS 23NYCRR500 requirements. A third-party assessment helps provide evidence of due diligence and due care for CISOs and senior leadership that reasonable cybersecurity governance practices exist.