The New York State Department of Financial Services (DFS) issued regulation Title 23 NYCRR Part 500 (often referred to as NYDFS NYCRR 500), establishes cybersecurity requirements for financial services companies to counteract threats from various malicious entities. The regulation, which was rolled out in phases, mandates that each financial entity assess its specific risk profile and design a robust cybersecurity program tailored to its risks, with senior management responsible for the program’s oversight and annual compliance certification. The regulation aims to protect customer information and the information systems of regulated entities, ensuring the institutions’ safety and soundness and customer protection.
Which Organizations Fall Under NYDFS NYCRR 500 Compliance Mandates?
The NYDFS NYCRR 500 Cybersecurity Regulation is mandatory for a wide range of financial institutions regulated by the New York State Department of Financial Services (DFS). This includes entities such as:
- State-chartered banks & credit unions
- Licensed lenders
- Mortgage lenders
- Health insurers
- Insurance firms
- Holding companies
- Investment & Trust organizations
- Budget & finance planners
- Check cashing and money transmitters
- Premium finance agencies
- Foreign banks authorized in New York
Key Provisions of NYDFS NYCRR 500
The NYDFS NYCRR 500 Cybersecurity Regulation requires financial institutions to identify and defend against cybersecurity threats, establish detection systems for cybersecurity events, and respond effectively. Institutions must also have recovery plans for such events and meet strict regulatory reporting requirements to ensure transparency and accountability in managing cyber risks.
Two sections of NYDFS NYCRR 500 have to do with securing applications that are worth calling out:
1. Risk Assessment Requirement
- Each entity must conduct a risk assessment to inform the design of its cybersecurity program, identifying and addressing vulnerabilities. Specifically, companies must institute procedures to assess and test the security of externally developed applications. Firms must have written procedures and guidelines to ensure the security of all applications developed in-house, as well as formal processes for evaluating and testing the security of applications developed externally.
2. Cybersecurity Program Implementation
- Entities are required to implement a comprehensive cybersecurity program that includes identification, protection, detection, response, and recovery measures for cybersecurity events, including popular mobile applications deployed by financial organizations.
Verimatrix and NYDFS NYCRR 500
1. Risk Assessment Requirement
- Action: Utilize Verimatrix’s Mobile App Security Risk Assessment service to conduct thorough evaluations of mobile applications with a detailed written report of the findings, including how safe the app is and how its security can be improved. They harden the apps with Verimatrix XTD. Finally, detect and respond to threats once your apps are released into the wild on the app stores.
- Benefit: Verimatrix’s service helps identify and address potential vulnerabilities in mobile applications, helping customers fulfil the Risk Assessment Requirement of NYDFS NYCRR 500 which mandates entities to conduct risk assessments to inform their cybersecurity programs.
2. Cybersecurity Program Implementation
- Action: Deploy Verimatrix XTD’s suite of cybersecurity solutions via our online platform for managing and monitoring cyber threats to your application ecosystem, securing your mobile apps, APIs, web and desktop/embedded apps, and more.
- Benefit: The Verimatrix XTD platform empowers customers to implement a cybersecurity program that includes identification, protection, detection, response, and recovery measures for cybersecurity events relating to applications, ensuring compliance with NYDFS NYCRR 500.
