Last month marked two years since the New York Department of Financial Services (NYDFS) cybersecurity requirements went into effect, so what exactly has been happening during that period? Let’s check in on the moving parts of the still young cybersecurity requirement.
For those unfamiliar, in March 2017, NYDFS Cybersecurity Regulation (23 NYCRR 500) was released stipulating that all entities operating under DFS licensure, registration, or charter must submit a Certification of Compliance stating that they adhere to the requirements. Whether based in New York or not, organizations conducting business or hosting information (“Covered Entities”) related to New York banking, insurance, and financial services industries must comply with these regulations.
Who are Covered Entities
- Licensed lenders
- State-chartered banks
- Trust companies
- Service contract providers
- Private bankers
- Mortgage companies
- Insurance companies doing business in New York
- Non-U.S. banks licensed to operate in New York
There are exceptions clearly defined within NYDFS’ FAQ that primarily apply to smaller organizations with less than ten employees and/or less than $5 million in gross annual revenue. Additionally, companies that do not control nonpublic information also qualify for exemptions, but it is critical to note that while exemptions are in place, you may still be required to comply with specific sections within the regulation.
Further, if you provide services to any of the above, you could be subject to these requirements. Upon release, NYDFS issued transitional periods for Covered Entities to implement and document a cybersecurity program that complies with the defined requirements. The past month’s two-year anniversary of the standard also marks the final phase of the transition period allotted to Covered Entities in order to comply. This phase stipulates organizations must be able to report all third-party providers with access to nonpublic information meet minimum cybersecurity practices (500.11) by-way of written policies and procedures designed to ensure the security of information systems and non-public information from risk posed by third-party service providers; however; organizations are not required to certify their compliance with 500.11 until February 15, 2020, so if you believe you may fall under this category, it’d be beneficial to refamiliarize yourself with the standard and provision an agreed upon timeframe with your customers for compliance.
Third Party Service Provider Security Policy (500.11)
Let’s visit the requirements in the final transition period. Per the regulation, under the final phase of the two-year transitional period, Covered Entities shall have implemented written policies and procedures designed to ensure the security of information systems and nonpublic information maintained or access by third parties by February 15, 2020. What do you need to do in order to comply? If you recall, within phase two of the four-phase rollout of the regulation, section 500.09 of the requirement stipulates Covered Entities conduct a risk assessment on a periodic basis (read: at least annually) that includes IT systems and nonpublic information that encompasses an organizations cybersecurity program.
In order to comply with section 500.11, the written documentation is required to be based on risk assessments and must include:
- The identification and risk assessment of third-party service providers;
- Minimum cybersecurity practices required to be met by such providers in order for them to do business with the Covered Entity;
- Due diligence processes used to evaluate the adequacy of cybersecurity practices; and
- Periodic assessment of third parties based on the risk they present and the continued adequacy of their cybersecurity practices.
Additionally, policies and procedures should also provide guidelines for due diligence around third party actions, including:
- Third party’s procedures regarding access control, specifically the use of multi-factor authentication (500.12)
- Encryption of nonpublic information (500.15)
- Notification of any act – successful or unsuccessful – of unauthorized access or misuse of information (500.17)
Memo from the Superintendent
In December 2018, the superintendent of NYDFS, Maria Vullo, released a memorandum emphasize the need for education and training which can help ensure that all parts of the organization are aware of and follow proper cybersecurity procedures. Further, it also highlighted attacks specific to emails and transmission of data, highlighting the importance in complying with the following:
- Multifactor authentication (500.12) – Covered institutions must employ multi-factor authentication for all inbound connections to the entity's network.
- Encryption (500.15) – Organizations must enact controls, including encryption of sensitive data, depending on the outcome of a risk assessment
- Training (500.14) – training to all personnel to avoid events like phishing scams and prevent errors that could cause significant consequences to the organization
New York’s Information Security Breach and Notification Act requires Covered Entities to disclose any breach of the data by way of their state technology law form.
In the meantime, organizations should refamiliarize themselves with the regulations and reporting requirements.
Notices of Breach
The memorandum revisits the final portion from phase 1 in the implementation of Notices to Superintendent, governing regulated entities and licensed persons to submit notices to the Department of cybersecurity events. Since it’s implementation in August 2017, NYDFS has received approximately 1,000 notices of cybersecurity incidents. Per the narrative, a large percentage of events reportedly were the result of email phishing attacks, compromising user credentials – and not just those of the impacted organization, but from their third parties as well. Are you seeing the full circle? One could assume stringent enforcement regarding these matters after specific focus from the superintendent.
Penalties of Noncompliance
One frustrating aspect for Covered Entities is NYDFS has failed to clearly communicate information regarding fines for noncompliance outside of simply stating violations will be calculated, nor have any fines been imposed. Complete speculation, but perhaps with the transitional periods ending, additional details may come to light, but for now it’s unfortunate for Covered Entities that NYDFS has not offered additional insight to the topic despite specific inquiries, leaving organizations to learn from others (or their own) mistakes. Just ensure you are prepared, as examiners have included cybersecurity as a component of all examinations performed by DFS.