The New York Department of Financial Services (NYDFS) implemented significant amendments to its Cybersecurity Regulation 23 NYCRR (Part 500), effective November 1, 2023. These changes necessitate immediate attention and action from many financial services businesses licensed to operate within New York State.
We’ve broken down a quick snapshot of what you need to know and consider, including:
- Companies affected
- A summary of the changes and their impact on an organization’s Salesforce
- A timeline for compliance
- Recommended next steps
You can also download this action alert resource as a reference for the information outlined below.
Companies Affected by Amendments to NY CRR 500
The law defines a “Covered Entity means any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.”
Summary of Changes
|Impacts to Salesforce
|Updated Program Requirements:
Additional Cybersecurity obligations include independent audits, enhanced monitoring of privileged-access activity, and implementing endpoint detection and response solutions.
|A managed Cybersecurity program covering core systems will become the norm. Salesforce Shield, notably Event Monitoring, and likely log exporting for forensics is a solution.
|Enhanced Governance Requirements:
Requirements for additional annual reporting to the board on Cybersecurity, CEO/CISO yearly compliance certification, and regular incident response and business continuity plan testing.
|Additional scrutiny on an organization’s IT systems, including Salesforce, and more crossover between executives and business system owners.
|Technical Requirements for All Covered Entities include:
Mandatory multi-factor authentication for system access, stringent monitoring to protect against malicious code, and comprehensive encryption protocols.
|Shield Platform Encryption will meet the Encryption at Rest requirements. Requirements encompass additional DevOps and change management.
|Incident Response and Business Continuity Planning:
Updated requirements include detailed incident response plans addressing recovery from backups and comprehensive business continuity and disaster recovery (BCDR) plans.
|Ongoing stress testing of systems will be required, including validating backup and test restore procedures.
|Breach Notification Obligations:
These involve ransomware notification requirements and continuous updating of information regarding Cybersecurity events.
|Like other statutes, NY now requires detailed protocol breach notifications. Keeping disaster recovery plans updated is critical. Shield Event Monitoring, Log Forensics, and Transaction Security Policy are crucial to detect a suspected breach and respond.
Timeline for Compliance
- December 1, 2023: Notification obligations to NYDFS.
- April 15, 2024: Certification requirements.
- April 29, 2024: Risk assessments and Cybersecurity policy requirements.
- November 1, 2024: Governance, encryption, and incident response requirements.
- May 1, 2025: Scanning, access privilege, and other technical requirements.
Suggested Next Steps
Review Your Systems
The substantial changes in Part 500 further indicate the future expectations for Salesforce administrators and business owners to diligently review their system maturity and take aggressive steps to align with compliance.
Make a Plan
Check out our security resource, Salesforce Cybersecurity: Climbing the Mountain, for tools to start your Cybersecurity compliance effort. Also, here’s an FAQ resource from the DFS Cybersecurity Resource Center.
You can also download the information outlined in this blog post.
Cybersecurity experts at Red Argyle are prepared to assist you in fulfilling these requirements along with current SEC and FINRA requirements. For a free consultation, reach out to get the conversation started!