NYDFS Clarifies Portions of Cybersecurity Regulation in Update
The New York Department of Financial Services has updated its guidance on incidents affecting third party services and multi-factor authentication.
The rise in cyberattacks in the wake of the COVID-19 pandemic has been well documented. The financial industry, which still has many companies working from home for the foreseeable future, certainly isn't immune.
These changing times have kept regulators like the Securities and Exchange Commission’s (SEC) Cyber Unit and New York Department of Financial Services’ (NYDFS) Cybersecurity Division on their toes, investigating, responding to incidents and carrying out enforcement actions.
To clarify some particulars in its Cybersecurity Regulation, 23 NYCRR Part 500, the NYDFS recently updated some frequent asked questions (FAQ) of the law.
For the uninformed, if an entity is regulated or licensed by the New York State Department of Financial Services, it must comply with NYDFS’ Cybersecurity Regulation; the regulation requires financial services companies to implement and follow a cybersecurity plan, one that can safeguard sensitive customer data and mitigate risk through data protection, encryption, and access controls, among other solutions.
One of the questions NYDFS clarified regarded breaches at third party service providers. In the event of an incident at a third party, even if the third party notifies the NYDFS of the incident, if your organization is affected by it, then yes, you still have to inform the department.
"Reporting Cybersecurity Events to the Department is not only an important obligation of all Covered Entities, but also enables the Department to more rapidly identify techniques used by attackers so that DFS can alert industry, respond quickly to new threats, and continue to effectively protect consumers and the financial services industry," the NYDFS wrote.
The second question pertains to the use of multi-factor authentication. Specifically if a company uses cloud-based email, document hosting and similar services as part of their internal networks, do they have to comply with part 23 NYCRR § 500.12 (b) of the Cybersecurity Regulation?
23 NYCRR § 500.12 (b) requires companies to use MFA for any individual accessing the covered entity’s internal networks from an external network, unless the covered entity’s CISO has approved in writing the use of reasonably equivalent or more secure access controls.
As is to be expected, yes, according to the NYDFS, MFA is still required, even if your organization is using cloud-based services, like Microsoft Office 365 and Google's G-Suite.
"These services contain Nonpublic Information that Covered Entities are required to protect,” NYDFS said in a recent update.
The clarifications come on the heels of the department issuing new guidance on how financial services firms should mitigate ransomware attacks.
The department’s instructions included implementing employee training around phishing attacks, use of multifactor authentication, and having a way to monitor their systems for intruders, like an endpoint detection and response solution.