NYDFS Clarifies Questions Around Cybersecurity Regulation Rule
The New York State Department of Financial Services (NYDFS) recently clarified answers to questions on 23 NYCRR Part 500, its landmark cybersecurity regulation rule.
The New York Department of Financial Services (NYDFS) recently clarified a handful of outstanding questions around 23 NYCRR Part 500, the cybersecurity regulation rule for financial services companies it recently enacted.
The updates nearly coincided with March 1, a date earlier this month that marked the one-year transitional period imposed by the NYDFS around the rule.
The regulation was established to address the heightened degree of risk financial services companies supervised by the NYFS are exposed to, namely by nation state attackers and independent criminal actors. Under the rule organizations or Covered Entities are required to adopt and maintain a cybersecurity program and ensure policies and procedures are in place to protect information systems and nonpublic information.
The updates, as seen in a revised FAQ on NYDFS' site, clarify that not-for-profit mortgage brokers, health maintenance organizations – HMOs, and continuing care retirement communities – CCRCs, are indeed considered Covered Entities subject to 23 NYCRR 500.
This was a point of confusion for some organizations until recently. The NYDFS oversees more than just banks and insurance companies concerned parties unsure if the Department covers their company would be well served to confer with this page on NYDFS' site.
In another question the NYDFS elaborated on the status of Exempt Mortgage Servicers, confirming that unless an entity can prove its "exempt organization" status – citing New York State Bank Law - Exempt Mortgage Servicers are not considered a Covered Entity. Just because Extempt Mortgage Servicers may not be obligated under regulation to adopt cybersecurity protections doesn’t mean they shouldn’t, the NYDFS said.
“With respect to DFS's cybersecurity regulation, given the ever-increasing cybersecurity risks that financial institutions face, DFS strongly encourages all financial institutions, including exempt Mortgage Servicers, to adopt cybersecurity protections consistent with the safeguards and protections of 23 NYCRR Part 500,” the FAQ reads.
The last question in the FAQ updated by NYDFS has to do with mergers and acquisitions. When either acquiring or merging with another company Covered Entities need to make it clear to the DFS that cybersecurity played a role in the decision.
In particular companies need to do a "factual analysis" to ensure that the procedures, guidelines and standards of the company that’s being acquired have been reviewed, assessed, and updated.
"Some important considerations include, but are not limited to, what business the acquired company engages in, the target company's risk for cybersecurity including its availability of PII, the safety and soundness of the Covered Entity, and the integration of data systems," the FAQ reads.
The FAQ was originally published more than a year ago, in December 2017, but as the NYDFS’ recent tweaks made clear, there were some gray areas.
23 NYCRR Part 500 went into effect back in March 2017 but March 1, 2018 was only one of the rule’s key dates. Covered entities were required to certify compliance with sections 500.04(b), 500.05, 500.09, 500.12 and 500.14(b) of the rule on February 15, 2018.
Those sections ensure companies do four things:
• 500.04(b) - Ensure the company’s Chief Information Security Officer (CISO) submits an annual report on the company's cybersecurity policies, procedures, and risks to its board of directors.
• 500.09 - Guarantee the company conducts and documents a periodic risk assessment that examines the company's cybersecurity hygiene.
• 500.14(b) - Make cybersecurity awareness training - addressing all risks, threats and countermeasures - available for its employees
• 500.05 - Based on the company's risk asssessment carry out penetration testing or implement monitoring to ensure effectiveness of cybersecurity program.
• 500.12 - Introduce, if it hasn't been already, multi-factor authentication to deter unauthorized access to nonpublic information or information systems.
The 18-month transitional period ends on September 3 later this year, a date that will mandate all covered entities to be in compliance with requirements in sections 500.06, 500.08, 500.13, 500.14(a) and 500.15 of the rule. Those sections deal with requirements on audit trails, application security, limitation on data retention, regular monitoring, and encryption of nonpublic information, respectively.
Regulated entities and licensed persons who failed to file a Certification of Compliance under the regulation by February 15 received a letter urging them to do so as soon as possible earlier this month. In the letter the Department stressed that by not submitting Certification of Compliance with Part 500 a company could indicate that its cybersecurity program has a “substantive deficiency”
The NYDFS also took the time in the letters to remind companies, even if they claimed an exemption, that they’re likely still required to file a Certification of Compliance. The only exception is if the organization has claimed an exemption under a special section, 23 NYCRR 500.19(b).
“Some Covered Entities did not file because they claimed an exemption under 23 NYCRR 500.19 and believed that this exempted them from filing a Certification of Compliance. NYDFS has advised that all Covered Entities claiming an exemption are required to file a Certification of Compliance except those who have claimed an exemption under 23 NYCRR 500.19(b). This exemption applies to Covered Entities who are employees of covered entities,” the letter reads.
Photo by Chris Li on Unsplash