Financial

The 23 NYCRR 500 is a set of regulations from the NYS Department of Financial Services that places cybersecurity requirements on all covered financial institutions. The document and requirements were released on February 16th, 2017. As of March 1, 2018, all organizations must be in compliance with the regulations. These regulations are designed to ensure businesses effectively protect their customers’ confidential information from cyber-attacks. Ill compliance with the rule can incur fines of $250,000 or one percent of total banking assets. Requirements include:

• 500.02 - Establish an effective cybersecurity program
• 500.03 - Create and maintain a written cybersecurity policy 
• 500.04 - Designate a chief information security officer (CISO) 
• 500.05 - Perform vulnerability scanning and/or penetration testing 
• 500.09 - Perform regular security risk assessments 
• 500.10-11 - Hire qualified cybersecurity personnel or utilize third-party service providers 
• 500.14 – Provide regular security awareness training for all personnel 
• 500.16 - Establish an incident response plan 
• 500.17 - Submit notification of incidents to the NYS DFS within a 72-hour window 

Which Organizations?

The organizations that have to comply with the requirements of 23 NYCRR 500 include but are not limited to the following:

• State-chartered banks
• Licensed lenders
• Private bankers
• Foreign banks licensed to operate in New York
• Mortgage companies
• Insurance companies
• Service providers

Who Is Exempt?

Organizations that employ less than 10 people, produced less than $5 million in gross annual revenue from New York operations in each of the past three years, or hold less than $10 million in year-end total assets are exempt from certain requirements of the Regulation.

For more about 23 NYCRR 500 and how DataSure24 can help, contact us.

The NCUA Board has modified their security program requirements to include security of credit union member information. Further, the NCUA Board is issuing "Guidelines for Safeguarding Member Information” to implement certain provisions of the Gramm-Leach-Bliley Act (GLBA).

Currently, NCUA regulations require that federally-insured credit unions have a written security program designed to protect each credit union from robberies, burglaries, embezzlement, and assist in the identification of persons who attempt such crimes.

Expanding the environment of protection to include threats or hazards to member information systems is a natural fit within a comprehensive security program. This expansion of the cyber threats to member information systems and data can be found in Appendix A of Part 748 “Guidelines for Safeguarding Member Information”.

Requirements:

• Req. 2A - Documented information security program
• Req. 3B-1 - Internal and external risk/vulnerability assessments
• Req. 3B-3 - Policies and procedure development and assessment
• Req. 3C-1-F - Monitoring systems and procedures to detect incidents
• Req. 3C-1-G - Incident response plan and program
• Req. 3C-2 - Security awareness training
• Req. 3C-4 - Regular testing controls, systems and procedures of information security program
• Req. 3F - Reporting to board annually

Who has to comply?

The Guidelines apply to member information maintained by or on behalf of federally-insured credit unions. Such entities are referred to in this appendix as “the credit union.” Excerpt taken directly from Appendix A of Part 748. Information is defined as “nonpublic personal information” of “members” as those terms are defined in 12 CFR part 716, NCUA’s rule captioned Privacy of Consumer Financial Information (the Privacy Rule or Part 716).

For more about the Safeguards Rule and how DataSure24 can help, contact us.