NYDFS 500 vs. DORA

This is a comprehensive comparison of the NYDFS 500 and DORA to equip European financial institutions with the essential knowledge to prepare for DORA and the Digital Operational Resilience Act.

It aligns efforts to meet both these regulations, which are subject to NYDFS oversight and are of utmost importance.

 

This section requires covered entities to develop and maintain a cyber security program that includes:

• Risk Identification and Assessment

• Defensive Infrastructure Implementation

• Cyber Security Event Detection, Response, and Recovery 

• Regulatory Reporting

It also requires larger intuitions—designated ‘Class A Companies’—to conduct independent audits of their programs and to make program documentation available to NYDFS upon request.

In DORA, the ICT Risk Management Framework (RMF) is analogous to the Cyber Security Program in NYDFS 500 and includes the exact requirements as NYDFS 500 except for Regulatory Reporting:

• Risk Identification and Assessment [Article 8(2)] 

• Defensive Infrastructure [Article 7]

• Detection [Article 10], and Response and Recovery [Article 11]

Like NYDFS 500, DORA also requires regular audits of the RMF [Article 6(6)], and documentation must be submitted to regulators upon request [Article 6(5)].

NYDFS directly specifies 15 areas that policies and procedures must address:

1. Information security
2. Data governance, classification, and retention
3. Asset inventory, device management, and end-of-life management
4. Access controls, including remote access and identity management
5. Business continuity and disaster recovery planning and resources
6. Systems operations and availability concerns
7. Systems and network security and monitoring
8. Security awareness and training
9. Systems and application security, and development and quality assurance
10. Physical security and environmental controls
11. Customer data privacy
12. Vendor and third-party service provider management
13. Risk assessment
14. Incident response and notification
15. Vulnerability management

A senior officer or the governing body must review and approve these policies annually.

DORA also requires covered entities to put policies in place [Article 5(2)(b)] and mentions some specific policies throughout the regulation, but the requirements are less direct and prescriptive. The following maps policies required by NYDFS 500 to those specified by DORA:

1. Information security [Article 9(4)(a))]
2. Data governance, classification, and retention [not mentioned]
3. Asset inventory, device management, and end-of-life management [not mentioned]
4. Access controls, including remote access and identity management [Article 9(4)(c-d)], Article 15(3(b))]
5. Business continuity and disaster recovery planning and resources [Business Continuity: Article 11(1)]
6. Systems operations and availability concerns [not mentioned]
7. Systems and network security and monitoring [not mentioned]
8. Security awareness and training [not mentioned]
9. Systems and application security and development and quality assurance [not mentioned]
10. Physical security and environmental controls [not mentioned]
11. Customer data privacy [not mentioned]
12. Vendor and third-party service provider management [not mentioned]
13. Risk assessment [not mentioned]
14. Incident response and notification [Incident classification: Article 24(5)]
15. Vulnerability management [Patch management: Article 9(4)(f))]

DORA doesn’t explicitly state that the management body must approve policies or that they need to be periodically reviewed, except for the Business Continuity policy [Article 5(2)(e))].

NYDFS 500 requires covered entities to designate a qualified CISO. The CISO may be from a third-party service provider or affiliate, but the entity retains compliance responsibility.

The CISO must give an annual report on the cyber security program to the senior governing body, which covers the following:

• Security Defenses

• Policy and Procedures 

• Risk Assessment

• Program Effectiveness

• Cyber security Incidents

• Gap Remediation 

In the interim, the CISO must also promptly report to the senior governing body on any cyber security issues, security events, or significant changes to the program.

The senior governing body is required to exercise oversight of cyber security risk management and has the following responsibilities:

• Possess sufficient understanding of cyber security matters for effective oversight

• Direct development and maintenance of the cyber security program 

• Allocate adequate resources for the program

• Regularly review cyber security reports

Unlike NYDFS 500, DORA doesn’t include a specific requirement for annual reporting on the state of the RMF to the management body.

DORA’s only explicitly defined reporting requirements specific to the management body are for senior staff to report at least yearly to the management body on lessons learned from penetration testing [Article 13(5)] and to inform the management body of major ICT-related incidents [Article 17(3(e))]. 

DORA also requires the RMF to be reviewed at least yearly but doesn’t specify management body involvement [Article 6(5)].

Under DORA, the management body is also ultimately responsible for the RMF [Article 5(2(a))] and has all the responsibilities defined in NYDFS 500 except for regularly reviewing cyber security reports:

• Keep up to date with sufficient cyber security knowledge and skills [Article 5(4)]

• Define, approve, oversee, and be responsible for RMF implementation [Article 5(2)] 

• Allocate appropriate budget [Article 5(2(g))]

NYDFS vulnerability management requirements include:

• Perform annual internal and external penetration testing by a qualified internal or external party.

• Perform automated scans of systems and manual review of systems not covered by automated scans periodically and after material changes.

• Implement a process to stay informed of new security vulnerabilities. 

• Remediate vulnerabilities in a timely, risk-based manner.

DORA has equivalent requirements for penetration testing but is less specific than NYDFS 500 regarding vulnerability scans and patch management.

About penetration testing:

• DORA requires all testing to be performed annually, which includes penetration testing [Article 24(6)]. 

• DORA doesn’t explicitly state whether testing needs to be from an internal or external perspective, while NYDFS 500 requires both.

• DORA doesn’t specifically require ‘qualified’ testers for penetration testing.

Please note the above statements relate to Article 25 - Testing of ICT tools and systems, which includes penetration testing. DORA has more stringent requirements for Threat-Led Penetration Testing (TLPT) [Articles 26 & 27], but TLPT involves red teaming, which isn’t explicitly required by NYDFS 500.

For vulnerability scanning, the ‘Testing of ICT Tools and Systems’ article includes ‘vulnerability assessments and scans’ in a list of ‘appropriate tests’ [Article 25(1)]. DORA also requires remediation of vulnerabilities [Article 24(5)]. Still, it doesn’t explicitly state that it must be timely, like NYDFS 500, and doesn’t mention the manual review of unscannable systems as required by NYDFS 500.  

Concerning monitoring for new vulnerabilities, the ‘Learning and Evolving’ article states that covered entities must have ‘capabilities and staff to gather information on vulnerabilities and cyber threats’ [Article 13(1)].

This section requires covered entities to securely maintain systems that collect audit trails designed to detect and respond to cyber security events and can reconstruct material financial transactions.

The security event audit trails must be retained for three years, and the financial transaction logs must be retained for five years.

DORA doesn’t define requirements specific to collecting and managing audit logs.

This section requires covered entities to do the following:

• Limit user access (i.e., the principle of least privilege)

• Review (recertify) user access

• Terminate user access when they leave the organization 

• Define a password policy

• Automatically block common passwords

• Implement a privileged access management solution

• Restrict the number of privileged accounts 

• Limit privileged account usage

• Monitor privileged access activity

• Disable remote access protocols

DORA is much less prescriptive in the access management domain. In comparison with NYDFS 500: 

• Limiting user access is also a requirement in DORA [Article 9(4(c))].

• Reviewing user access isn’t directly mentioned but may be implied in a statement that entities must establish policies, procedures, and controls to ensure a sound administration of access rights [Article 9(4(c))].

• Terminating leavers’ access isn’t directly mentioned but can also be implied in the statement above.

• DORA doesn’t define any specific requirements for passwords. 

• DORA doesn’t require entities to implement a privileged access management solution or include specific requirements around privileged accounts.

• DORA doesn’t require disabling or restricting the use of remote access protocols.

NYDFS 500 requires entities to ensure secure development practices for in-house developed applications and assess the security of externally developed applications. It also requires the CISO to review the associated procedures, guidelines, and standards at least annually.

Source code reviews are included in DORA’s list of appropriate tests under ‘Testing of ICT tools and systems’ [Article 25(1)], but secure software development isn't mentioned further.

Concerning externally developed applications, DORA requires that third-party service providers participate and fully cooperate with the entity’s Threat-Led Penetration Testing (TLPT) [Article 30(3)(d)].

NYDFS 500 requires covered entities to conduct risk assessments of information systems at least annually and whenever a change in the business or technology causes a material change to the covered entity’s cyber risk.

The assessment must account for risks particular to the covered entity’s business operations, technological developments, and evolving threats and explain how the identified risks will be addressed.

The assessment must be performed according to written policies and procedures which cover:

• Risk evaluation and categorization 

• Assessment of the confidentiality, integrity, security, and availability of information systems and nonpublic information

• Requirements for risk treatment (e.g., mitigate or accept)

DORA also requires risk assessments to be performed annually [Article 8(2)] and following significant changes to information systems or business functions [Article 8(3)].

Like NYDFS 500, DORA also directs entities to identify risks relevant to supported business functions and consider the impact of technological developments and new cyber attacks [Article 13(7)]. 

DORA doesn’t explicitly mention risk assessment procedures. Concerning the elements that NYDFS 500 specifies to be included in these procedures, DORA includes risk classification [Article 18(2)] but doesn’t touch on risk treatment.

This section requires covered entities to have qualified cyber security personnel, give them sufficient training to address security risks, and verify that they maintain current knowledge of cyber security threats and countermeasures.

NYDFS 500 allows covered entities to use qualified personnel from an affiliate or third-party service provider.

DORA doesn’t explicitly require qualified cyber security personnel but mentions that independent auditors must possess sufficient cyber risk knowledge, skills, and expertise [Article 6(6)].

DORA requires Security Awareness Training (SAT) for all employees [Article 13(6)]. Although it doesn’t mention specific or additional training for cyber security personnel, it says the training should have a ‘level of complexity commensurate to the remit of employee functions’. 

DORA requires entities to keep up-to-date with the latest cyber risk management processes [Article 13(7)]. Still, it doesn’t include verifying that individual personnel comply with this directive.

Concerning NYDFS 500 allowing the use of qualified third-party personnel to manage cyber security, DORA doesn’t mention this but also doesn’t prohibit it.

Regarding third-party risk management, NYDFS requires that covered entities:

• Identify (inventory) third parties

• Perform third-party risk assessments

• Define minimum cyber security practices necessary for third parties to meet 

• Conduct due diligence

• Perform continuous monitoring

The regulation mentions explicitly that due diligence must cover the third party’s access control and encryption practices.

Additionally, entities must ensure that third parties give representations and warranties on their cyber security policies and procedures and are required to give notification if a cyber security event directly impacts the entity’s information systems. 

The following NYDFS 500 requirements are also included in DORA:

• Third-party Identification [Article 8(5)]

• Risk Assessment [Article 28(4(c))]

• Due Diligence [Article 28(4)] 

• Continuous Monitoring [Article 28(6)]

DORA doesn’t explicitly include the following third-party risk management requirements contained in NYDFS 500:

• Notification in the event of a security incident

• The concept of Minimum Cyber Security Practices 

• Specific mention that access control and encryption must be covered in due diligence

• Representations and warranties on the third party’s cyber security policies and procedures

NYDFS 500 requires MFA for ‘any individual accessing any information systems of a covered entity’ unless the CISO approves in writing the use of reasonably equivalent or more secure compensating controls.

DORA doesn’t include this requirement.

NYDFS 500 requires covered entities to maintain a complete, accurate, documented asset inventory per written policies and procedures. It also specifies required inventory data fields (owner, location, classification or sensitivity, support expiration date, and recovery time goal).

The inventory must be validated and updated at a defined but non-prescribed frequency.

Additionally, this section requires covered entities to regularly and securely dispose of unnecessary nonpublic information unless its retention is required by law or disposal is impractical due to how the data is maintained.

DORA requires financial entities to identify all information assets [Article 8(4)]. Critical assets must be labeled, but no other required fields are specified. The inventory must be updated periodically following significant changes [Article 8(6)]. 

DORA doesn’t include any requirements around data disposal.

This section requires covered entities to:

• Monitor user activity to detect unauthorized access or tampering with nonpublic information.

• Protect against malicious code, including monitoring and filtering web traffic and emails to block malicious content.

• Give annual cyber security awareness training for all personnel that reflects the entity’s risk assessment and covers social engineering. 

Additionally, class A companies are required to implement:

• An endpoint detection and response (ERD) solution to monitor anomalous activity

• A solution that centralizes logging and security event alerting (i.e., SIEM)

DORA doesn’t require user activity monitoring or specifically mention malware or web/email filtering. Like NYDFS, DORA also requires yearly Security Awareness Training [Article 13(6)] but doesn’t specify that it needs to align with the entity’s risk assessment or cover social engineering. 

DORA also doesn’t explicitly require the implementation of EDR or SIEM solutions.

Covered entities must have a written policy requiring encryption that meets industry standards for nonpublic information in transit over external networks and at rest.

If a covered entity determines encrypting nonpublic information at rest is impractical, it may use alternative security measures that have been reviewed and approved in writing by the CISO. When exercising this option, the CISO must revalidate the infeasibility of encryption and the effectiveness of the compensating controls annually.

DORA doesn’t require data encryption.

Entities must have an Incident Response Plan designed to allow prompt response and recovery. Plan content must include:

• Goals of the plan

• Process for responding to incidents

• Roles and responsibilities and decision-making authority;

• Internal and external communications plan

• Identification of remediation requirements

• Documentation and reporting

• Backup recovery processes

• Root cause analysis

• Updating of incident response plans as necessary

Entities must also have a Business Continuity and Disaster Recovery (BCDR) Plan designed to ensure the availability and functionality of systems and services in the event of a cybersecurity-related disruption.

At a minimum, the BCDR plan must identify:

• Dependencies like documents, data, facilities, infrastructure, services, personnel, and competencies are essential to the continued operations of the covered entity’s business.

• Personnel responsible for implementing each aspect of the BCDR plan.

• Third parties necessary for the continued operations of the covered entity’s information systems.

And include: 

• A plan to communicate with essential persons in the event of a cybersecurity-related disruption to the covered entity’s operations, including employees, counterparties, regulatory authorities, third-party service providers, disaster recovery specialists, the senior governing body, and any other persons essential to the recovery of documentation and data and the resumption of operations.

• Procedures for the timely recovery of critical data and information systems and to resume operations as soon as reasonably possible following a cybersecurity-related disruption to normal business activities.

• Procedures for backing up or copying, with sufficient frequency, information essential to the covered entity’s operations and storing such information offsite.

In addition to maintaining these plans, entities must:

• Ensure that current copies of the IR and BCDR plans are available to all employees during a cyber security event necessary for plan execution.

• Give training to all employees responsible for implementing the plans.

• Perform annual tests of IR and BCDR plans with all staff and management critical to the response and revise the plan as necessary.

• Perform annual tests of the ability to restore critical data and information systems from backups.

• Maintain backups necessary to restore material operations and ensure these backups are protected from unauthorized alterations or destruction.

DORA covers the above NYDFS 500 requirements as follows: 

Incident Response Plan [Article 17(3(f))]

• Goals (not mentioned)

• Process (not specifically mentioned, but implied that this would be included in the IR Plan)

• Roles and responsibilities [Article 17(3(c))]

• Communications plan [Article 17(3(d))]

• Remediation requirements (not mentioned) 

• Documentation and reporting (not mentioned)

• Backup recovery processes (not mentioned in the context of IR Planning)

• Root cause analysis [Article 17(2)]

• Updating of incident response plans [Article 13(3)]

BCDR Plan [Article 11(2)]

• Essential dependencies [Article 11(5)]

• Personnel (not mentioned)

• Third parties (not mentioned)

• Communication plan (not mentioned)

• Recovery procedures [Article 12(1(b))]

• Backup procedures [Article 12(1(a))]

Other requirements include:

• Copies of plans available during an incident (not mentioned)

• IR and BCDR Plan Training (not mentioned)

• Annual test of IR Plan (not mentioned)

• Annual test of BCDR Plan [Article 11(6(a))] 

• Annual test of backup and recovery procedures [Article 12(2)]

• Maintain secure backups [Article 12(1) and Article 12(3)]

NYDFS 500 includes the following requirements to submit notifications to the regulator:

Notice of cyber security incident:

• Notify NYDFS within 72 hours of determining a cyber security incident at the covered entity, its affiliates, or a third-party service provider.

• Promptly respond to NYS DFS requests for information about the incident. 

• Update NYDFS on any new information or material changes regarding the incident.

Notice of compliance (signed by the CEO and CISO):

• Annual certification that the entity complied with the regulation during the prior calendar year or acknowledgment that the entity did not comply with the description of the gaps and timeline for remediation.

• Retain for NYDFS examination documentation supporting the certification or details of remediation plans for five years. 

Extortion payments (e.g., ransomware):

• Within 24 hours, notify NYDFS that an extortion payment was made.

• Within 30 days, explain reasons payment was necessary and diligence performed to find alternatives.

Under DORA, financial entities must report major cyber security incidents [Article 19(1)]. Like NYDFS 500, this includes an initial notification followed by updates on changes and new information [Article 19(4)]. 

Time limits for the notifications are yet to be determined [Article 20(1(a)(ii))].

DORA doesn’t include requirements to certify compliance with the regulation or give justifications for making ransomware payments.