NYS DFS sets the standard for cybersecurity best practices with Article 24 Part 500

February 1, 2017

Last week the New York State Department of Financial Services closed its request for comments on its new cyber regulations, Article 24 Part 500. The rule will require new cybersecurity measures for firms that meet the rules’ definition of “Covered Entity.” Among other things, firms will be required to self-certify their compliance (see Appendix A of Part 500). The final regulation will go into effect in March 2017, and there are various transition periods set out for compliance.

What are the requirements? 
In summary, the rule will require industry standard best practices for cybersecurity programs. The rule will require firms to:

  • Develop a cybersecurity program
  • Implement a cybersecurity policy
  • Assign a Chief Information Security Officer to oversee the program
  • Conduct annual penetration testing and bi-annual vulnerability assessments
  • Maintain an audit trail of activity
  • Limit access privileges to information systems
  • Develop written procedures and guidelines around application security
  • Conduct periodic risk assessments to test and improve the cybersecurity program
  • Provide awareness training and intelligence to personnel
  • Develop third-party service provider policies that call for:
    • Cybersecurity risk assessments
    • Due diligence processes and evaluation criteria
    • Periodic assessments
  • Implement multi-factor authentication for accessing information systems and nonpublic information
  • Call for limitations on data retention
  • Notify the superintendent no later than 72 hours after a cyber event

Who does this apply to?
The rule defines “Covered Entity” as “any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.”

It is our understanding that a firm that is solely an SEC-registered investment adviser, and that has no banking or insurance business regulated by New York State, will not be a “Covered Entity” subject to the rule – even if the firm notice files in New York. However, advisers that also engage in insurance or banking business supervised by New York regulators may be covered. Because the determination of what firms are and aren’t a “Covered Entity” may be unclear in many situations, clients are advised to consult on this question with legal counsel.

ACA Aponix Guidance

Even if NY’s Article 24 Part 500 may not be applicable to your firm, it sets out a framework that may be followed by other states, and provides a clear set of guidelines for firms to consider. For ACA Aponix clients that have engaged us for our flagship services, nearly all elements of Part 500 are covered.

If you have questions related to cybersecurity requirements noted in Article 24 Part 500 or would like more information about our flagship services, please contact Henry Lindemann.