It's Time to Take the NYDFS Cybersecurity Regulation Seriously
By Tom Stamulis, Senior Director, Alvarez & Marsal
It has been six months since the New York Department of Financial Services (NYDFS) released its controversial cybersecurity regulation (23 NYCRR 500) on March 1st. If your organization is considered a Covered Entity affected by the regulation, it should already be compliant with the first phase of the regulation that was due by August 28th. Fortunately, for those Covered Entities that are not compliant, NYDFS is not requiring organizations to submit their formal certification letters until February 15, 2018.
"NYDFS takes protecting the personal information of New York residents seriously, and non-compliance can result in significant fines"
Why are these deadlines particularly significant? In my experience as a consultant with over 20 years in the cybersecurity industry, onerous tasks of understanding and complying with new regulations are often left to the last moment; following suit, many organizations likely have no idea whether they are compliant with regulation 23 NYCRR 500. If you have done your due diligence and are compliant, you should be proud because you are most likely in the minority. If you have done your evaluation and are in the process of meeting compliance in time to submit your certification, keep moving toward your goal. If by chance, your organization is not addressing the regulation, I’d recommend you put a plan together now, because history has shown non-compliance can result in significant fines; even more troubling, non-compliance puts your organization at greater risk, operationally. If you need convincing, take a drive over the new Tappan Zee Bridge, which has been paid in part by billions in fines issued by NYDFS.
The NYDFS cybersecurity regulation applies to all organizations operating under or required to operate under an NYDFS license, registration, charter, or similar authorization that is regulated by NYDFS and operate under Banking, Insurance or Financial Service Law. Examples of covered entities include:
• State-chartered banks;
• Foreign banks licensed and operating in New York State;
• Insurance companies;
• Private bankers;
• Mortgage companies; and
• Other financial service providers
NYDFS has provided limited exemptions to Covered Entities. Organizations that employ less than 10 people, produced less than $5 million in gross annual revenue from New York operations in each of the past three years, or have less than $10 million in year-end total assets are exempt from all or certain elements of the regulation.
If you have reviewed the above and identify as a Covered Entity, there are several controls your organization should have implemented by August 28th. If they are not currently in place, you need to get moving. The controls to implement are:
• 500.02 Cybersecurity Program
Develop and maintain a cybersecurity program designed to protect the confidentiality, integrity and availability of Information Systems.
• 500.03 Cybersecurity Polices
Implement and maintain written policies, approved by a Senior Officer or Board of Directors, setting forth procedures for the protection of Nonpublic Information.
• 500.04 Chief Information Security Officer (CISO)
Designate a qualified individual to oversee and implement the cybersecurity program and enforce policy. Organizations can use a third party to fill this role.
• 500.07 Access Privileges
Companies covered by the regulation must monitor and limit access privileges granted to users.
• 500.10 Cybersecurity Personnel & Intelligence
Employ qualified individuals to manage evolving cybersecurity threats and responses. These can be third party actors.
• 500.16 Incident Response Plan
Establish a written incident response plan to promptly respond to, and recover from, any event materially affecting the confidentiality, integrity or availability of the Information Systems.
• 500.17 Notices of Superintendent
Any cybersecurity event that carries a “reasonable likelihood” of causing material harm to normal operations, must be reported within 72 hours.
There are key steps you can take to ensure you effectively manage your time and resources.
1. Identify whether your institution is a “Covered Entity” and if you must comply with the regulation in full or if you are eligible for any exemptions. If you identify you are eligible for any exemptions, you need to submit this to NYDFS immediately because it was due on October 30th.
2. Review your organization’s latest Risk Assessment Report. If cybersecurity is not included in this report, you will have to conduct either a new Risk Assessment or a supplemental one that includes cybersecurity. This is extremely important because several of the controls you have to meet must be developed and implemented based off the findings of this assessment.
3. Assemble your team consisting of all individuals that are affected by the seven controls identified earlier. This team should be led by the CISO who ultimately holds responsibility for overseeing, achieving and maintaining compliance.
4. Ensure senior leadership is aware of the NYDFS reporting requirements. On February 15, 2018, the Chairman of the Board or a Senior Officer will have to attest they have reviewed documents, reports, certifications and opinions of such officers, employees, representatives, outside vendors and other individuals or entities as necessary.
5. A key thing to remember is NYDFS has already stated that an organization may not submit a “Certificate of Certification” unless they have met all the requirements for that phase.
As you work through these requirements, it is important to remember this cybersecurity regulation is real, and, based on history, will be enforced. These are controls and not recommendations organizations may ignore. NYDFS takes protecting the personal information of New York residents seriously, and non-compliance can result in significant fines. An example of this is the hundreds of millions of dollars in fines paid by financial institutions for failing to comply with Anti-Money Laundering laws. Similar actions could be taken in response to non-compliance with the cybersecurity regulation. But, it is not too late to comply.