Is your agency in compliance with the NYDFS Cybersecurity Law?

One of the biggest threats to your business these days is your compliance with NY DFS - or lack there of!

Don’t let what happened to First American happen to you. With many misconceptions about the Law, some businesses may be deemed small enough to be “exempt” but there are no exemptions. ONLY LIMITED EXEMPT which means you still must comply with the law.

FIND OUT IF YOU ARE IN COMPLIANCE ON A 10-MIN CALL WITH OUR EXPERTS

 

Find out if you are in compliance on a 10-Min Call with our experts

NYDFS Cybersecurity Requirements for Financial Institutions

In 2017 the New York State Department of Financial Services created the NYDFS cybersecurity regulation 23 NYCRR 500, which held financial institutions accountable for maintaining their cybersecurity program. The goal of the regulation is to ensure the safeguarding of sensitive customer data and to promote the integrity of the information technology systems of regulated entities.

As a filling entity you must comply with:

All regulated entities will need to develop a cybersecurity policy and implement an incident response plan that includes a notification system for data breaches and cybersecurity events within 72 hours.

NYDFS 23 NYCRR 500 Cybersecurity Requirements are incredibly confusing, and the fines for not being compliant can be debilitating.

The DFS 23 NYCRR 500 applies to all regulated entities meaning “any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the financial Services Law”, including:

  • State banks
  • Licensed Lenders
  • Private Banks
  • Foreign Banks operating in New York
  • Mortgage Companies
  • Insurance companies
  • Trust companies
  • Service providers

The cybersecurity regulations do not specifically detail any potential penalties or the impact of noncompliance. Instead, they “will be enforced by the superintendent [of NYDFS] pursuant to, and [are] not intended to limit, the superintendent’s authority under any applicable laws.”

Enforcement actions most likely would arise pursuant to the general authority of NYDFS under the New York Banking Law, which authorizes the superintendent of NYDFS to require a regulated entity to pay a penalty “for any violation of this chapter [or] any regulation promulgated thereunder” (which would include the cybersecurity regulations).

Penalties pursuant to the New York Banking Law are authorized up to (a) $2,500 per day during which a violation continues, (b) $15,000 per day in the event of any reckless or unsound practice or pattern of misconduct, or (c) $75,000 per day in the event of a knowing and willful violation.

Cybersecurity Regulation Exemptions

Section 19 of the DFS cybersecurity regulation contains several exemptions. Most exemptions are limited in nature and require Covered Entities to still comply with some provisions of the Regulation. If you apply for an exemption, you still have to (a) File a Cybersecurity Notice of Exemption, (b) Implement the required elements of the Cyber security program, and (c) Have in place Cyber security policies and response system.

500.19(a)(1) Fewer than 10 employees working in NYS

You are entitled to this limited exemption when your business has fewer than 10 employees, including independent contractors. You must still design and implement a Cybersecurity program, including submitting an annual Certification of Compliance.

500.19(a)(2) Less than $5M in gross annual revenue

You are entitled to this limited exemption when your business has less than $5,000,000 in gross annual revenue in each of the last 3 fiscal years. You must still design and implement a Cybersecurity program, including submitting an annual Certification of Compliance.

500.19(a)(3) Less than $10M in year-end total assets

You are entitled to this limited exemption when your business has less than $10,000,000 in year-end total assets. You must still design and implement a Cybersecurity program, including submitting an annual Certification of Compliance.

Proving Compliance with NYDFS

Utilizing risk assessments to benchmark and assess the posture of your cybersecurity program is essential. At the end of each year, regulated institutions need to complete an annual certification process in coordination with the board of directors to evaluate their cybersecurity program.

At the end of this process, the organization will need to provide a Certification of Compliance with NYDFS Cybersecurity Regulation.

Under 23 NYCRR 500, a program must coincide with best practices that support:

  • Information Security
  • Access Controls and identity management
  • Business continuity and disaster recovery planning
  • Security and Personnel Training
  • Security of information systems
  • Network Security
  • Periodic risk assessments
  • Internal reporting and auditing
  • Data Encryption and Protection
  • Threat Feed Detection
  • Incident Response Plans
  • Multi-Factor Authentication
  • Vendor/Third-Party Risk Assessments

FIND OUT IF YOU ARE IN COMPLIANCE ON A 10-MIN CALL WITH OUR EXPERTS

 

Find out if you are in compliance on a 10-Min Call with our experts