NYDFS addresses use of cyber assessment framework in risk assessment process

Privacy/Cyber Risk & Data Security State Issues NYDFS State Regulators 23 NYCRR Part 500 Bank Regulatory

On December 9, NYDFS updated its FAQs regarding 23 NYCRR Part 500, which established cybersecurity requirements for banks, insurance companies, and other financial services institutions. (See InfoBytes coverage on 23 NYCRR Part 500 here.) New FAQ 41 addressed whether covered entities should use a cyber assessment framework as part of their risk assessment process as required by Sections 500.9 and 500.2(b). NYDFS clarified that while it “does not require a specific standard or framework for use in the risk assessment process," it expects covered entities “to implement a framework and methodology that best suits their risk and operations.” Commonly employed frameworks cited by NYDFS include the FFIEC Cyber Assessment Tool, the CRI Profile, and the NIST Cybersecurity Framework.