Understanding and Taking Advantage of the NYDFS Risk Assessment Requirement

As organizations prepare for the coming year those affected by NYDFS may struggle to efficiently include the requirements in their plans. The annually required risk assessment can be a linchpin in creating a roadmap not only for the NYDFS requirements but also for reducing the most relevant risks your organization is facing.

What are the NYDFS requirements and 23 NYCRR Part 500?

The New York Department of Financial Services (NYDFS) created the regulation ‘23 NYCRR Part 500’ on March 1, 2017. The regulation is a set of cybersecurity requirements for applicable financial institutions licensed in New York. An amendment was put into effect on November 1, 2023, updating the regulation and creating stricter timelines and requirements. The NYDFS website has additional guidance on determining what entities are required to follow the regulation.

While the regulation has its own unique name, the requirements are typically referred to as the NYDFS requirements, or simply NYDFS, which is how it will be referred to for the remainder of the article.

The Risk Assessment

One of the notable updates of NYDFS in 2023 was the requirement to conduct an annual cybersecurity risk assessment. Covered in section 500.9, it states that the risk assessment “shall allow for revision of controls to respond to technological developments and evolving threats and shall consider the particular risks facing the Covered Entity.” This can be done by using the NYDFS requirements as the base requirements for the risk assessment, demonstrating the state of compliance with NYDFS.

The risk assessment process has three additional requirements.

1. Criteria for determining cybersecurity risk

There are many frameworks available in the cybersecurity industry that can be used to determine risk. Using a hybrid approach with a focus on NYDFS can help scope the assessment to ensure it is thorough without becoming too vast.

• Criteria for assessing the confidentiality, integrity, and availability of information systems and nonpublic information

Using a risk matrix to classify risk levels uniformly will help in prioritization and give the ability to make visual aids to better understand the risk levels of in-scope information systems. If an organization has an enterprise risk management function, the same risk matrix should be employed.

• A description of the identified risks and the risk treatment plan.

Describing the identified risks should take place during scoping and will be helpful throughout the process. The risk treatments will be determined after the assessment, which will enable a deeper look into the identified assets.

Opportunity to Enhance Cybersecurity Posture

As the risk assessment is required, it should be used to its fullest advantage. In fact, the risk assessment brings forth many opportunities. Discussions on scoping the risk assessment will organically help identify an organization’s assets that affect the confidentiality, integrity, and availability of nonpublic data.

Setting aside the time for a risk workshop will help ensure all assets are identified and that the risk scenarios are well-identified and thought out — for an effective workshop, data from the industry and global trends should be used in discussing scenarios. 

By setting up the risk assessment against current and emerging risks, the assessor can evaluate current controls as well as identify areas of improvement that will help create a risk treatment plan. For planning purposes, it is effective to have a visual roadmap that also includes the NYDFS requirements.

Tracking the observations

Once the risk assessment is complete, observations and recommendations for improvement will be made. Observations from a risk assessment shouldn’t be looked at as a bad thing; the point of the risk assessment is to stay ahead of threats and issues. Observations and recommendations should be welcomed as they help fortify an organization’s cybersecurity program.

To maximize effect, the observations and recommendations should be tracked through an automated system. Then, updates on the risks can be gathered, and treatment plans can be tracked to completion. Without automation, it is easy to lose track of the risk treatments. Using a GRC tool for initiatives like this is also highly recommended.

Risk Treatments

To achieve results from the risk assessment, the organization must decide on a treatment plan for each risk. While the assessor will provide recommendations, the organization must balance the risk treatments with business needs. The National Institute of Standards and Technology (NIST) suggests 5 treatment options:

1. Mitigate
   • This can include technical controls, policy or other documentation updates, or organizational changes resulting in risk reduction.
2. Accept
   • When the risk level meets organizational tolerance levels, the risk should be accepted.
3. Avoid
   • When the risk can be avoided by changing or removing the action that creates the risk.
4. Transfer
   • This occurs with the purchase of insurance or when the risk is transferred to another organization through a contractual arrangement.
5. Any combination of 1-4
   • This hybrid approach is a combination of other treatment options.

The NYDFS requirements can seem daunting when seen only as more compliance requirements. However, the annual risk assessment can serve the purpose of enhancing the security of the organization and keeping it on a path of continuous improvement. This assessment can become a task that can be used to identify the greatest risks and provide visual heat maps and roadmaps, making it understandable at all levels.