NYDFS Cybersecurity Regulation: Two Years Later, Let’s Check-In

Assessing Risk & Modeling Threats

Creating Full Stack Observability in Your Cloud-Native Environment

Download Now

Introduction 

— by Lindsey Ullian, Threat Stack Compliance Manager

Back in 2017, we brought our readers up to date on NYDFS Cybersecurity Regulation (23 NYCRR 500), a new set of regulations introduced by the New York Department of Financial Services (NYDFS). For many of us, other compliance frameworks such as the GDPR, have held more of our attention over the past two years, and 23 NYCRR 500 has somewhat slipped from sight. But given the fact that entities covered by 23 NYCRR 500 must comply whether they are based in New York or not, it’s time to refamiliarize yourself with the regulations.

With that in mind, Collin Varner, Senior Associate at Schellman & Company, has prepared a detailed update on what’s been happening with the regulation since it was introduced, along with key issues you need to understand.

Here’s Collin’s article. . .

[March 2019] marked two years since the New York Department of Financial Services (NYDFS) cybersecurity requirements went into effect. So what exactly has been happening during that period? Let’s check in on the moving parts of this still young cybersecurity requirement.

Overview

For those unfamiliar, in March 2017, NYDFS Cybersecurity Regulation (23 NYCRR 500) was released stipulating that all entities operating under DFS licensure, registration, or charter must submit a Certification of Compliance stating that they adhere to the requirements. Whether based in New York or not, organizations conducting business or hosting information (“Covered Entities”) related to New York banking, insurance, and financial services industries must comply with these regulations.

Who are Covered Entities

The NYDFS covers any organization that is regulated by the Department of Financial Services. This includes:

  • Licensed lenders
  • State-chartered banks
  • Trust companies
  • Service contract providers
  • Private bankers
  • Mortgage companies
  • Insurance companies doing business in New York
  • Non-U.S. banks licensed to operate in New York

There are exceptions clearly defined within NYDFS’ FAQ that primarily apply to smaller organizations with fewer than ten employees and/or less than $5 million in gross annual revenue. Additionally, companies that do not control nonpublic information also qualify for exemptions, but it is critical to note that while exemptions are in place, you may still be required to comply with specific sections within the regulation.

Further, if you provide services to any of the above, you could be subject to these requirements. Upon release, NYDFS issued transitional periods for Covered Entities to implement and document a cybersecurity program that complies with the defined requirements. The past month’s two-year anniversary of the standard also marks the final phase of the transition period allotted to Covered Entities in order to comply. This phase stipulates that organizations must be able to report that all third-party providers with access to nonpublic information meet minimum cybersecurity practices (500.11) by way of written policies and procedures designed to ensure the security of information systems and non-public information from risk posed by third-party service providers. However, organizations are not required to certify their compliance with 500.11 until February 15, 2020. So if you believe you may fall under this category, it would be beneficial to refamiliarize yourself with the standard and provision an agreed upon timeframe with your customers for compliance.

Third Party Service Provider Security Policy (500.11)

Let’s visit the requirements in the final transition period. Per the regulation, under the final phase of the two-year transitional period, Covered Entities shall have implemented written policies and procedures designed to ensure the security of information systems and nonpublic information maintained or accessed by third parties by February 15, 2020. What do you need to do in order to comply? If you recall, within phase two of the four-phase rollout of the regulation, section 500.09 of the requirement stipulates that Covered Entities conduct a risk assessment on a periodic basis (read: at least annually) that includes IT systems and nonpublic information that encompasses an organization’s cybersecurity program.

In order to comply with section 500.11, the written documentation is required to be based on risk assessments and must include:

  • The identification and risk assessment of third-party service providers;
  • Minimum cybersecurity practices required to be met by such providers in order for them to do business with the Covered Entity;
  • Due diligence processes used to evaluate the adequacy of cybersecurity practices; and
  • Periodic assessment of third parties based on the risk they present and the continued adequacy of their cybersecurity practices.

Additionally, policies and procedures should also provide guidelines for due diligence around third-party actions, including:

  • Third party’s procedures regarding access control, specifically the use of multi-factor authentication (500.12)
  • Encryption of nonpublic information (500.15)
  • Notification of any act — successful or unsuccessful — of unauthorized access or misuse of information (500.17)

Memo From the Superintendent

In December 2018, the superintendent of NYDFS, Maria Vullo, released a memorandum emphasizing the need for education and training which can help ensure that all parts of the organization are aware of and follow proper cybersecurity procedures. Further, it also highlighted attacks specific to emails and transmission of data, highlighting the importance in complying with the following:

  • Multifactor Authentication (500.12): Covered institutions must employ multi-factor authentication for all inbound connections to the entity’s network.
  • Encryption (500.15): Organizations must enact controls, including encryption of sensitive data, depending on the outcome of a risk assessment.
  • Training (500.14): Ongoing training must be provided to all personnel to avoid events like phishing scams and to prevent errors that could cause significant consequences to the organization.

New York’s Information Security Breach and Notification Act requires Covered Entities to disclose any breach of data by way of their state technology law form.

In the meantime, organizations should refamiliarize themselves with the regulations and reporting requirements. 

Notices of Breach

The memorandum revisits the final portion from phase 1 in the implementation of Notices to the Superintendent, governing regulated entities and licensed persons to submit notices to the Department of cybersecurity events. Since its implementation in August 2017, NYDFS has received approximately 1,000 notices of cybersecurity incidents. Per the narrative, a large percentage of events reportedly were the result of email phishing attacks, compromising user credentials — and not just those of the impacted organization, but from their third parties as well. Are you seeing the full circle? One could assume stringent enforcement regarding these matters after specific focus from the Superintendent.

Penalties for Noncompliance

One frustrating aspect for Covered Entities is that NYDFS has failed to clearly communicate information regarding fines for noncompliance outside of simply stating that violations will be calculated, nor have any fines been imposed. This is complete speculation, but perhaps with the transitional period’s ending, additional details may come to light. But for now, it’s unfortunate for Covered Entities that NYDFS has not offered additional insight into the topic despite specific inquiries, leaving organizations to learn from others (or their own) mistakes. Just ensure that you are prepared, as examiners have included cybersecurity as a component of all examinations performed by DFS.

A Final Word From Threat Stack

In an earlier post, we covered the basics of 23 NYCRR 500 — who is affected, how the regulations apply to “covered entities,” and what is required for compliance. It’s a great article if you want to bring yourself up to speed on the regulations and reporting requirements. Together with the updates Collin Varner has included in his excellent article, you should be set to deal with 23 NYCRR 500.

If you’d like to learn more about how Threat Stack can help to address your organization’s security and compliance issues, please contact us for a demo. Our experts will be pleased to speak with you.

Assessing Risk & Modeling Threats

Creating Full Stack Observability in Your Cloud-Native Environment

Download Now