RIA Compliance and Practice Management Blog

Does New York DFS Cybersecurity Rule (23 NYCRR 500) impact RIA Firms?

Posted by RIA in a Box

Apr 10, 2017 3:00:23 PM

New York Cybersecurity Law (23 NYCRR 500) for RIA FirmsOn February 16, 2017, the state of New York Department of Financial Services ("NYDFS") finalized its new cybersecurity rule ("23 NYCRR 500") which creates new information security requirements for a "Covered Entity" under NYDFS supervision. This new detailed regulation includes requirements to appoint a Chief Information Security Officer ("CISO"), to implement and maintain a written cybersecurity policy, and more. 


Note: RIA in a Box LLC is not a law firm and does not provide legal advice. We strongly advise all RIA firms that operate in the state of New York consult legal counsel to determine the potential applicability of 23 NYCRR 500. This content is as of April 11, 2017 and subject to change without notice. This overview is provided for general information purposes only and should not be relied upon to take any action.

Download Our Free RIA Cybersecurity Compliance Checklist

The final rule became effective on March 1, 2017. The new rule establishes a series of information security compliance deadlines over the next two years with seven of the rule's specific requirements mandated to be implemented by August 28, 2017. The requirements outlined by this new regulation include:

  • Establish a cybersecurity program
  • Implement and maintain a written cybersecurity policy
  • Designate a CISO
  • Implement an audit trail
  • Utilize access privileges
  • Evaluate, assess, and test security of in-house and external technology applications
  • Conduct a periodic risk assessment
  • Ensure cybersecurity personnel are properly trained and qualified
  • Establish policies and procedures to protect nonpublic information held by third party service providers
  • Implement multi-factor or risk-based authentication
  • Ensure secure disposal on a periodic basis of any nonpublic information
  • Monitor and train all firm personnel
  • Encryption of nonpublic information
  • Establish a written incident response plan
  • Notify the superintendent regarding any cybersecurity event within 72 hours

As registered investment adviser ("RIA") compliance consultants, we have received a number of recent questions relating to whether this new rule applies to RIA firms with a place of business in the state of New York? As it stands right now, it does not appear that an RIA firm is a "Covered Entity" subject to the new state of New York cybersecurity rule. The New York Department of Financial Services is not the licensing or regulatory authority for investment advisers. Rather, the New York State Attorney General handles the regulation of RIA firms for state-registered firms located in New York. However, although this rule may not be directly applicable to an investment advisory firm, there may be firms with affiliated outside business activities such as insurance or banking services which are in fact regulated by the NYDFS and subject to this new rule. 

It's also important to note that regardless if the rule is directly applicable, all state and federally-registered investment advisers should take a few minutes to review this new information security rule in detail. The rule outlines a helpful playbook and series of best practices that RIA firms should strongly consider when designing, implementing, and testing information security programs. 

We also suggest that all RIA firm principals review some of our past cybersecurity coverage:

Download Our Free How to Prepare for an RIA Regulatory Exam Checklist

Lexington Compliance and RIA in a Box LLC are not law firms, investment advisory firms, or CPA firms. Lexington Compliance and RIA in a Box LLC do not provide legal advice or opinions to any party or client. You should always consult your relevant regulatory authorities or legal counsel if applicable.

Topics: RIA Compliance

RIA Compliance & Practice Management

Stay up to date on the latest RIA compliance, operations, and technology topics.

Hear from industry experts as they keep you up to date on the latest regulatory developments and practice management topics.

Subscribe to Email Updates

Recent Posts