On February 16, 2017, the state of New York Department of Financial Services (“NYDFS”) finalized its new cybersecurity rule (“23 NYCRR 500”) which creates new information security requirements for a “Covered Entity” under NYDFS supervision. This new detailed regulation includes requirements to appoint a Chief Information Security Officer (“CISO”), to implement and maintain a written cybersecurity policy, and more.
Note: RIA in a Box LLC is not a law firm and does not provide legal advice. We strongly advise all RIA firms that operate in the state of New York consult legal counsel to determine the potential applicability of 23 NYCRR 500. This content is as of April 11, 2017 and subject to change without notice. This overview is provided for general information purposes only and should not be relied upon to take any action.
The final rule became effective on March 1, 2017. The new rule establishes a series of information security compliance deadlines over the next two years with seven of the rule’s specific requirements mandated to be implemented by August 28, 2017. The requirements outlined by this new regulation include:
- Establish a cybersecurity program
- Implement and maintain a written cybersecurity policy
- Designate a CISO
- Implement an audit trail
- Utilize access privileges
- Evaluate, assess, and test security of in-house and external technology applications
- Conduct a periodic risk assessment
- Ensure cybersecurity personnel are properly trained and qualified
- Establish policies and procedures to protect nonpublic information held by third party service providers
- Implement multi-factor or risk-based authentication
- Ensure secure disposal on a periodic basis of any nonpublic information
- Monitor and train all firm personnel
- Encryption of nonpublic information
- Establish a written incident response plan
- Notify the superintendent regarding any cybersecurity event within 72 hours
As registered investment adviser (“RIA”) compliance consultants, we have received a number of recent questions relating to whether this new rule applies to RIA firms with a place of business in the state of New York? As it stands right now, it does not appear that an RIA firm is a “Covered Entity” subject to the new state of New York cybersecurity rule. The New York Department of Financial Services is not the licensing or regulatory authority for investment advisers. Rather, the New York State Attorney General handles the regulation of RIA firms for state-registered firms located in New York. However, although this rule may not be directly applicable to an investment advisory firm, there may be firms with affiliated outside business activities such as insurance or banking services which are in fact regulated by the NYDFS and subject to this new rule.
It’s also important to note that regardless if the rule is directly applicable, all state and federally-registered investment advisers should take a few minutes to review this new information security rule in detail. The rule outlines a helpful playbook and series of best practices that RIA firms should strongly consider when designing, implementing, and testing information security programs.
We also suggest that all RIA firm principals review some of our past cybersecurity coverage:
- The Greatest RIA Cybersecurity Threat is Your Firm’s Staff: What To Do
- Should an RIA firm Utilize a Password Manager Tool?
- How RIA Firms Can Utilize 2 Factor Authentication To Improve Security
- NASAA releases RIA Cybersecurity compliance survey results
- SEC Issues New RIA Cybersecurity Guidance Risk Alert