NYDFS 23 NYCRR 500

NY Department of Financial Services Cybersecurity Regulation

With Tehama you can leverage a SOC 2 Type II end-user compute environment and achieve and maintain regulatory compliance requirements for heavily regulated industries such as banking, financial services, health care, energy and utilities, insurance and government enterprises. The Tehama solution has 107 SOC 2 Type II controls built into the platform, saving you time and resources on your internal SOC 2 Type II audits.

NYDFS 23 NYCRR 500 badge

NYDFS 23 NYCRR 500 Regulation

The State of New York is the first state to introduce a cybersecurity regulation designed to protect the financial services’ critical infrastructure. The NY Department of Financial Services (NYDFS) introduced the NYDFS Cybersecurity Regulation (23 NYCRR 500) that imposes new cybersecurity requirements on all covered financial institutions.

The 23 NYCRR 500 Regulation applies to all businesses operating under or required to operate under DFS licensure, registration, or charter, or which are otherwise DFS-regulated, as well as, by extension, unregulated third-party service providers to regulated entities. 

This includes:

1 State-chartered banks
2 Licensed lenders
3 Private bankers
4 Foreign banks licensed to operate in New York
5 Mortgage companies
6 Insurance companies
7 Service Providers

Accelerate your compliance with Tehama

Section 500.11 requires all financial services (covered entities) to comply with the Third Party Service Provider Security Policy regulation.

“Section 500.11 Third Party Service Provider Security Policy.

Section 500.11 (a) Third Party Service Provider Policy. Each Covered Entity shall implement written policies and procedures designed to ensure the security of Information Systems and Nonpublic Information that are accessible to, or held by, Third Party Service Providers. Such policies and procedures shall be based on the Risk Assessment of the Covered Entity and shall address to the extent applicable:

(1) the identification and risk assessment of Third Party Service Providers;
(2) minimum cybersecurity practices required to be met by such Third Party Service Providers in order for them to do business with the Covered Entity;
(3) due diligence processes used to evaluate the adequacy of cybersecurity practices of such Third Party Service Providers; and
(4) periodic assessment of such Third-Party Service Providers based on the risk they present and the continued adequacy of their cybersecurity practices.”

In Tehama, financial services organizations can set cybersecurity policies such as treatment of data, access to sensitive data, privileged credential management and obfuscation, nationality and secret clearance access, geo-fencing access with partner IAM solutions, and additional compliance regulations for third-party service providers. Tehama can track how third parties, such as service providers are adhering to their policies and prevent them from delivering or accessing critical systems if they fail to comply with the policies. 

Via deep audit, activity logging and session recordings, the financial services institution can track every single person within the service provider entity or sub-contractor’s activity while delivering services on mission critical and data sensitive assets. Tehama calls this continuous compliance and governance.

(1) the Third-Party Service Provider's policies and procedures for access controls, including its use of Multi-Factor Authentication as required by section 500.12 of this Part, to limit access to relevant Information Systems and Nonpublic Information;
(2) the Third-Party Service Provider's policies and procedures for use of encryption as required by section 500.15 of this Part to protect Nonpublic Information in transit and at rest;
(3) notice to be provided to the Covered Entity in the event of a Cybersecurity Event directly impacting the Covered Entity's Information Systems or the Covered Entity’s Nonpublic Information being held by the Third Party Service Provider; and
(4) representations and warranties addressing the Third-Party Service Provider's cybersecurity policies and procedures that relate to the security of the Covered Entity’s Information Systems or Nonpublic Information.”

Tehama applies several layers of protection to adhere to section 500.11B.

(1) First, Tehama requires all third party providers to use multi-factor authentication to access the critical systems;
(2) Second, Tehama also limits access to only the systems the third party has been granted access to;
(3) Third, all work done within the Tehama platform is encrypted and all communications between the third party worker and Tehama is encrypted as is all of the communication between the Tehama platform and the financial services infrastructure; and
(4) Fourth, Tehama, via the unique architecture prevents endpoint device infections from penetrating into the Tehama platform. Tehama has a continuous detection intrusion service that observes all files and activity for additional protection.

Furthermore, the Tehama platform is certified SOC 2 Type II compliant and undergoes rigorous penetration testing as part of the SOC 2 Type II audit.

“Section 500.11 (c) Limited Exception. An agent, employee, representative or designee of a Covered Entity who is itself a Covered Entity need not develop its own Third Party Information Security Policy pursuant to this section if the agent, employee, representative or designee follows the policy of the Covered Entity that is required to comply with this Part.”

Tehama supports multi-party collaboration between third-parties and covered entities such that several contractors can collaborate on the same project or access the same critical infrastructure. All policies and procedures defined in the Tehama platform for one financial institution extend to all collaborators in the services ecosystem when extended to all parties.

Tehama supports multi-party collaboration between third-parties.