New York City is often referred to as the financial capital of the world; with the state of cybersecurity today and the increasing barrage of threats that financial related institutions must combat on a daily basis, it is no wonder that New York became the first state to take government action to do something about it. In March of 2017, the New York Department of Financial Services enacted a set of cybersecurity regulations requiring financial companies to take specified measures to better protect personal information from cyber attacks. Like other similar regulations, companieshave been allotted a transitory period to prepare for these compliances and a series of important calendar deadlines was outlined. Below is a guide to help you navigate what is required for those who are mandated to abide by the Financial Services 23 NYCRR 500 legislation.
What is significant about March 1, 2019?
March 1, 2019 is the official conclusion of the two-year transitional period for all covered entities. The good news is that you get an extra day of transitioning due to Leap Year. Once March 2019, all organizations that fall under the jurisdiction of the legislation must comply with the NYCRR 500 list of requirements or face penalty.
What organizations must comply?
Pretty much any company in the financial industry must comply. This includes:
- State-charted banks as well as non-U.S. banks licensed to operate in New York
- Licensed lenders
- Mortgage companies
- Trust companies
- Insurance companies doing business in New York
- Private bankers
- Service contract providers
Note that companies with fewer than 10 employees that have either less than $5 million in gross annual revenue for 3 years or less than $10 million in year-end total assets are exempt.
What you are required to do to meet compliance?
In essence, financial companies operating in the state of New York cannot ignore their responsibility when it comes to protecting the personal data that it stores. You must now have an active and well-conceived security strategy in place that is documented and transcribed into specific security policies. Some of the required measures include the following:
- Implement and maintain a cybersecurity policy
- A confirmation from a member of the board of directors or senior officer that a security policy has been submitted and reviewed by them
- A written incident response plan outlining how the organization will respond to a cybersecurity incident, including the notification to the state superintendent within 72 hours of any such event
- The hiring of qualified cybersecurity personnel unless a third party service is used
- A periodic review of user access privileges
- Training and monitoring for all authorized users
Like the GDPR legislation in Europe, third parties utilized by the covered entities are not exempt from these NYDFS regulations. NCRR 500 sets a minimum standard for all third party service providers that service the financial industry sector. It requires that financial institutions look beyond their own perimeter to confirm the security systems and efforts of its partners. The fact is that if a security exploit is due to a third party’s negligence, it is still the main organization that bears responsibility. Because so many financial companies utilize third party providers for their IT services, the stated security of third parties is a very significant clause of the March 1, deadline. Specific third party requirements include the following:
- The identification and risk assessment of third party service providers
- Disclosure of representations and warranties of third party procedures relating to the security of an entity’s data
- Due diligence efforts to properly evaluate the adequacy of third party cybersecurity practices
Regardless of whether data is hosted internally or by a third party, the use of encryption and multifactor authentication (MFA) are required under NYDFS.
What are the ramifications of non-compliance?
The penalties of non-compliance are very real. Companies that fail to meet the outlined provisions of NYCRR 500 include the revoking of their license as well as a financial penalty of up to $2,500 per each day of non-compliance. Higher fines of up to $15,000 can be levied however for reckless practice or up to $75,000 for willful violation.
Not Vetting Your Third Party Vendors Can Cost You
The enforced requirement to vet third parties is anything but unprecedented. As far back as 2015, the SEC fined an adviser at the St. Louis firm, R.T. Jones a total of $75,000 for a breach involving its third party web hosting company. The involved web server that hosted the company’s web site was attacked two years earlier, resulting in a data compromise of more than 100,000 individuals. R.T. Jones had neglected its responsibility to produce written policies and procedures to outline its efforts to safeguard customer information including the absence of periodic risk assessments and incident response plan.
HIPAA has mandated third party compliance for years. Back in 2018, the New Jersey Attorney General legally pursued a physician group involving more than 50 South Jersey medical and surgical practices. A settlement of $417,816 was later agreed to due to allegations that it failed to protect the information of more than 1,650 patients. The breach was a result of a third party vendor that failed to correctly update the software involving an FTP site where transcribed documents were kept. As a result, password protection of the site was negated and anyone conducting a Google search had access to download documents that included medical information from the involved FTP site.
Know What Your Duty of Care Responsibility Is
Although the legislation set forth by the State of New York is certainly comprehensive, it doesn’t assign responsibility to you for every possible cybersecurity event. The NYCRR 500 regulations do not require you to guarantee the security of personal information. Instead it requires you to perform your duty of care, which is the equivalent action that a reasonable person would take in order to protect the information. Of course the act of defining what exactly one’s duty of care actually is can be confusing. Thus, it is important to turn to an advisor who is experienced in cybersecurity and understanding what one’s level of “due care” actually is. While this stringent set of requirements can be potentially damaging if neglected, the process of ensuring compliancy can be easily managed with the proper direction and guidance.
For third party risk management, HALOCK Security Labs can navigate you through the process.
FINANCIAL SERVICES INFORMATION SECURITY RESOURCES