It’s been almost five years since the Final NYDFS Regulation, covered entities have now transitioned to a compliance phase. Let’s take a look at the current state of the regulation, but first a step back.
Under the Final NYDFS Regulation effective March 1, 2017, subject to certain exemptions, any individual, partnership, corporation, association, or other entity operating under or required to operate under a license, registration, charter, certificate, permit, accreditation, or similar authorization under the New York Banking Law, Insurance Law or Financial Services Law (a “Covered Entity”) include the following types of entities, among others, chartered or licensed by the NYDFS:
- Insured depository institutions;
- Branches, agencies, or offices of a non-U.S. bank;
- Trust companies;
- Credit unions;
- Check cashers;
- Money transmitters;
- Institutions with BitLicenses;2 and
- Mortgage brokers.
Covered Entities are required by NYDFS Cybersecurity Regulation to:
- Establish a Cybersecurity Program designed to ensure the security of the Covered Entity’s information systems, which must include: information and systems security, data governance and classification, asset inventory and device management, access controls, disaster recovery plans, a Risk Assessment, vendor and third-party service provider management, and a written Incident Response Plan;
- Adopt a written Cybersecurity Policy;
- Designate a Chief Information Security Officer (“CISO”) responsible for implementing, overseeing, and enforcing the cybersecurity program and policy; and
- Comply with notice and reporting requirements, which include: reporting certain Cybersecurity Events to the DFS within 72 hours, and submitting annual compliance certifications to the DFS by April 15th of each year.
- The DFS Certification of Compliance is a critical governance pillar for the cybersecurity program of all DFS regulated entities. Prior to April 15 of every year, all regulated entities and licensed persons must file a Certification of compliance to the Superintendent covering the previous calendar year confirming their compliance with the DFS cybersecurity regulation.
- An entity or individual should only submit a Certification if they were in compliance with all portions of the regulations that apply to that Covered Entity. Even if you filed a Notice of Exemption, you might have to submit a Certification of Compliance to demonstrate that you were in compliance with the portions of the regulation that apply to you.
- If a Covered Entity qualifies for an exemption, it must file a Notice of Exemption with the DFS.
The current status demonstrates an increasingly aggressive stance taken by NYDFS concerning compliance with Cybersecurity Regulations outlined in 23 NYCRR Part 500, licensed companies must ensure that they have appropriate and well-documented cybersecurity controls, policies, and procedures in place. Failure to do so may subject companies to fines and penalties, enforcement actions, or even the revocation of their licenses.
Under the regulations, a Covered Entity is required to submit a written statement to NYDFS each year certifying compliance with the requirements of 23 NYCRR 500. The Covered Entity also must maintain supporting documentation for 5 years for examination by the regulator. NYDFS has aggressively pursued Covered Entities that fail to comply with the Cybersecurity Regulations, including assessing several millions of dollars in fines and penalties.
- March 2021, NYDFS imposed a $1.5 million civil penalty on a licensed mortgage banker for failing to notify the regulator of a Cybersecurity Event. The company was found liable for violating the Cybersecurity Regulations in failing to timely report the breach and failing to conduct a comprehensive Cybersecurity Risk Assessment.
- April 2021, NYDFS imposed a $3 million civil penalty on an insurance company based on its failure to implement MFA, failure to timely report two separate Cybersecurity Events and falsely certifying compliance with the Cybersecurity Regulations.
- May 2021, NYDFS imposed a $1.8 million civil penalty on two life insurance companies based on the failure to implement MFA and falsely certifying compliance with the Cybersecurity Regulations.
It’s important for covered entities to recognize annual compliance requirements failure to do so with NYDFS Cybersecurity Regulations may subject them to significant fines, penalties, and reputation damage.
During the early development phases of the NYDFS Cybersecurity Regulations, CCSI recognized a need for a trusted advisor in support of their clients and the business community helping to navigate this important legislation. CCSI’s Information Security practice group has formulated a plan of action and scope of work for its clients who are covered by the Final Regulation.
CCSI’s Security Lifecycle Framework provides organizations with the ability to work with CCSI to choose, integrate and operate a wide range of security technologies across the IT enterprise, centralize threat intelligence management & orchestration, and automate responses to threats without waiting for human intervention. Contact your relationship manager at CCSI for assistance.
Robert Villano is the Cybersecurity Practice Manager at CCSI.
Robert is a data privacy advocate specializing in safeguarding the confidentiality, integrity, and availability of highly sensitive data. His experience over the past twenty years with information security, security architecture review, and executing risk assessment methodologies has enabled organizations to achieve regulatory compliance within highly regulated environments most recently in the healthcare and financial services industry.
Underscoring his professional interest in wireless communications and IoT security, Robert has an electrical engineering background earning a BSEE at Penn State University and an MSEE at New York University. He holds the CISM, and CRISC information security certifications.
Connect with Robert at CCSI via firstname.lastname@example.org.