In 2017, the New York Department of Financial Services (NYDFS) put forth a set of regulations placing cybersecurity requirements on all financial institutions – it was titled NYDFS Cybersecurity Regulation (23 NYCRR 500). The regulation includes twenty-three sections defining the requirements for developing and executing an effective cybersecurity program, requires institutions to identify their cybersecurity risks and create a plan to proactively address security risks. The regulations also require companies to conduct regular risk assessments, adhere to timely notifications of incidents, appoint a Chief Information Security Officer (CISO), and ensure companies limit access to sensitive customer information.
Soon after the regulations took effect, charges were filed against a subsidiary of the insurance company First American Financial Corporation. First American Title Insurance, the second-largest real-estate title insurer in the U.S, was charged with exposing hundreds of millions of sensitive documents containing important information such as Social Security numbers and bank account information over a several-year period.
The breach occurred due to errors in their document management system that allowed personnel to view any file without needing a password or other security measure. First American will be contesting the charges, as they disagree with allegations made by NYDFS. Regulators said the subsidiary First American was aware of the flaw in its system for several months before it was revealed by journalist Brian Krebs.
DFS filed charges against First American for a violation of six sections of the Cybersecurity Regulation. The company faces hefty fines if they’re found guilty. DFS explained that each instance of exposed personal information will be considered a separate violation, amounting to a penalty of $1,000 each. The DFS hearing for First American Title Insurance is set for October 26th, 2020.
Who is Covered Under the NYDFS Cybersecurity Regulation?
The NYDFS Cybersecurity Regulation covers all entities operating under or required to operate under a Department of Financial Services (DFS) licensure, registration, or charter as well as unregulated third-party service providers to regulated entities. Limitations to coverage include: organizations that employ less than ten people, produce less than $5 million in annual gross revenue from NY operations in each of the past three years, or maintain less than $10 million in year-end total assets. Examples of covered entities include:
- Licensed lenders
- Private bankers
- State-chartered banks
- Foreign banks licensed to operate in New York
- Mortgage companies
- Insurance companies
Cybersecurity Regulation: 23 NYCRR 500 Policy Phases
The regulation was broken into a four distinct phase framework. The first phase of the NYDFS Cybersecurity Regulation went into effect on February 15th, 2018, and required the covered organizations to develop a cybersecurity policy, which includes an incident response plan with a requirement of data breach notifications within 72 hours. The policy must stay in line with industry best practices and ISO 27001 standards. And, the policy must cover:
- Information security
- Customer data privacy
- Access controls
- Systems and network security
- Regular risk assessments
- Disaster recovery planning
The second phase went into effect on March 1st, 2018, and required the company’s CISO to prepare an annual report that covers: the organization’s cybersecurity policies and procedures, their security risks, and the effectiveness of their existing cybersecurity measures.
Phase three, which began on September 3rd, 2018, required covered organizations to incorporate a comprehensive cybersecurity program containing a few key elements such as:
- An audit trail reflecting their threat detection and response activities
- Written documentation of procedures, standards, and guidelines for in-house applications
- Detailed data retention policy documentation, including how non-public personal information is disposed
- Encryption and other robust security control measures
The final phase went into effect on March 1st, 2019, and addressed the organization’s policies towards third party permissions to access sensitive data, files, and systems. Covered organizations are required to enact a written policy for these third-party programs that address:
- Risk assessment of third-party service providers
- The covered financial institution’s security requirements of third-party service providers that must be met in order to conduct business with that entity
- Processes for evaluating the effectiveness of a third-party service provider’s security practices
- Periodic assessments of third-party policies and controls
Best Practices For Adhering to the NYDFS Cybersecurity Regulation
- Determine whether or not your institution classifies as “covered.”
- Coordinate a regulatory compliance team with an assigned a Chief Information Security Officer (CISO)
- Recognize your organization’s risk profile, organizations should be conducting ongoing, risk assessments to identify problems and address proactive threats.
- Adhere to all regulation deadlines.
If you’d like help to determine whether or not your organization is staying compliant with the NYDFS Cybersecurity Regulation or need assistance setting-up protocols, please contact us.