Drive 23 NYCRR 500 sensitive data compliance

23 NYCRR 500 Overview

NYDFS Cybersecurity Regulation

23 NYCRR 500 is a regulation in the state of New York that establishes cybersecurity requirements for financial services companies regulated by the New York State Department of Financial Services (NYDFS). It is intended to protect consumers and ensure the integrity and confidentiality of sensitive financial information. The goal of 23 NYCRR 500 is to ensure that financial services companies in New York have strong cybersecurity programs in place to protect against cyber threats and to maintain the integrity and confidentiality of sensitive financial information.

Businesses impacted

23 NYCRR 500 is a regulation in the state of New York that applies to financial services companies regulated by the New York State Department of Financial Services (NYDFS). This includes a wide range of businesses, including:

• Banks
• Insurance companies
• Money transmitters
• Mortgage companies
• Credit card issuers
• Consumer lending companies
• Credit reporting agencies
• Debt collection agencies
• In addition to these businesses, 23 NYCRR 500 also applies to affiliated entities of these companies, such as subsidiaries, holding companies, and joint ventures.

The regulation requires these companies to implement robust cybersecurity programs to protect against cyber threats and to maintain the integrity and confidentiality of sensitive financial information.

Data types covered

23 NYCRR 500 requires companies to implement robust cybersecurity programs to protect against cyber threats and to maintain the integrity and confidentiality of sensitive financial information. The regulation covers a wide range of data types, including both personal and financial information. Examples of data types that may be covered by 23 NYCRR 500 include:

• Personal identification information, such as names, addresses, and social security numbers
• Financial account information, such as bank account numbers and credit card numbers
• Personal financial information, such as income, assets, and liabilities
• Health information
• Insurance information
• Employment information
• Intellectual property

The specific data types that are covered by the regulation may vary depending on the specific business activities of the financial services company. The regulation requires these companies to implement controls to protect against unauthorized access to or tampering with nonpublic information, which may include any data that is not publicly available or that is subject to confidentiality agreements or other legal protections.

Compliance requirements

To comply with 23 NYCRR 500, financial services companies are required to:

1. Develop and implement a written cybersecurity policy that reflects the company’s specific risk profile and business activities. The policy should include provisions for the protection of nonpublic information, the secure disposal of nonpublic information, and the secure transmission of nonpublic information.
2. Designate a chief information security officer (CISO) who is responsible for the development and oversight of the cybersecurity program. The CISO should have the appropriate level of authority and resources to effectively manage the program.
3. Implement controls to protect against unauthorized access to or tampering with nonpublic information. This may include technical controls such as firewalls, intrusion detection and prevention systems, and encryption, as well as non-technical controls such as employee training and incident response plans.
4. Conduct annual penetration testing and vulnerability assessments. These assessments should be conducted by qualified third parties and should include both external and internal testing.
5. Implement multi-factor authentication for certain privileged users and external users accessing the company’s systems.
6. Encrypt all nonpublic information in transit and at rest.
7. Establish incident response plans to address cybersecurity events. These plans should include procedures for responding to cyber threats, recovering from cyber attacks, and reporting incidents to the NYDFS.
8. Provide regular cybersecurity awareness training to employees. This training should cover topics such as the importance of cybersecurity, how to recognize and prevent cyber threats, and the company’s incident response procedures.

Enforcement and penalties

If a financial services company fails to comply with the requirements of 23 NYCRR 500, it may be subject to enforcement action by the NYDFS.

The NYDFS has the authority to investigate alleged violations of the regulation and to take appropriate enforcement action, which may include the imposition of fines, the issuance of cease and desist orders, or the revocation or suspension of licenses. The NYDFS may also refer cases to other law enforcement agencies for further investigation and prosecution.

The specific penalties that may be imposed for non-compliance with 23 NYCRR 500 will depend on the nature and severity of the violation, as well as the company’s history of compliance with the regulation. The NYDFS has the authority to impose fines of up to $5,000 for each day that a violation continues, and may also seek additional remedies, such as the reimbursement of damages or the restoration of lost data.

Financial services companies that fail to comply with 23 NYCRR 500 may also face reputational damage, as well as legal and financial liability for any harm caused by a cyber attack or data breach. It is important for these companies to take the necessary steps to comply with the regulation in order to protect against cyber threats and to maintain the integrity and confidentiality of sensitive financial information.

Six ways Qohash drives compliance

Breach identification

Monitor sensitive data risk around the clock and receive alerts the instant risky accumulation, deletion or exfiltration occurs. If an incident occurs, use keyword search to look up a specific data element and track the full data lineage, including the exact location where the data got out of an environment, where it ended up – every touch point in between.

Sensitive data inventory

Qohash provides a complete inventory of sensitive, unstructured data at-rest. Qohash discovers sensitive data 50x faster than alternatives, across any data source, in any location. Qohash provides labeling, classification, custom RegEx and keyword searches, plus ranked and contextualized risk.

Data deletion

Run keyword searches by name, date, credit card number and more to find all copies of sensitive data across business systems. See which categories of sensitive data are stored on business systems. See how specific data elements moved across employees and locations. Delete data directly within the platform to show compliance with data deletion requests in any location – including endpoints.

Risk assessment

A foundational step in conducting a risk assessment, Qohash provides an inventory of regulated data across every data source. It provides access control lists for evaluation as to whether those with access have a legitimate business need for it. Gain insight into all sensitive data critical exposure points. See how much sensitive data is on business systems and who has access to it. Put policies in place, configure risk levels appropriate to the business, and receive notifications the instant policy violations occur.

Policy enforcement

Qohash provides auditors with evidence that sensitive data is monitored and cross-referenced to employee interactions, enabling in-the-moment policy enforcement. Qohash looks into files to track data elements. It monitors those elements and cross-references them to employees and locations. Know the instant an employee has a risky interaction with sensitive data. Trace the lineage of any data element that moves onto workstations, for faster remediation.

Access control

Quickly create an access control list of all regulated data. Provide evidence of restrictions and show regular evaluation of whether those with access have a legitimate business need for it.