Tens of thousands of companies are now legally obligated to comply with the NYDFS Cybersecurity Regulation. Financial institutions have always been appealing targets for cybercriminals to launch malicious attacks against. As far back as 2007, a Russian hacking ring stole $2 million after successfully hacking a string of ATM machines in New York. In 2019, numerous credit unions throughout U.S. were hit by spear-phishing emails impersonating compliance officers. Also in 2019, the convenience chain store WaWa discovered that hackers had compromised their card processing system over 9-months in which customers at any WaWa location could have had their data stolen. It was estimated that tens of millions of card details were posted for sale online.
These instances are just a few examples of the many cyberattacks that have employed advanced tactics against financial institutions to gain access to valuable data. As the cyber threat landscape has grown increasingly sophisticated, regulations have needed to expand in scope and complexity to reflect a more dangerous cybersecurity climate. The New York State Department of Financial Services (NYDFS) Cybersecurity Regulation is one such measure implemented to ensure companies meet strict cybersecurity requirements so they are less likely to be victims of a breach and are able to effectively respond in the event a breach does occur.
Enacted in March of 2017, the NYDFS Cybersecurity Regulation mandated a sweeping set of compliance regulations for all entities regulated by the NYDFS. Such entities include:
- Commercial banks
- Trust companies
- Private bankers
- Credit Unions
- Licensed lenders
- Service providers
- Mortgage companies
- Insurance companies (who conduct business in New York)
- Banks outside the U.S. (if licensed to operate in New York)
- Life insurance companies
- Savings and loans associations
It is important to note that covered entities must comply with the NYDFS Cybersecurity Regulation regardless of whether they are based in New York or not. If your business operates in New Jersey but you deal with the financial information of New York residents, for instance, you would be considered a covered entity.
Exemptions for certain requirements of the regulation exist for companies in the following circumstances:
- Companies with fewer than 10 employees
- If a company produced less than $5 million in gross annual revenue in each of the last three fiscal years
- Companies that hold less than $10 million in year-end total assets
- If your company does not store or process any nonpublic information
What are the Goals of the NYDFS Cybersecurity Regulation?
The overarching goal of this regulation is simple – the regulation aims to, “promote the protection of customer information as well as the information technology systems of regulated entities,” amidst today’s evolving threat landscape with an ever-increasing number of cyberattacks. A regulated entity must, “ensure the safety and soundness of the institution and protect its customers.”
The regulations require covered entities to protect nonpublic information by enacting cybersecurity measures that mitigate the risk of a cyberattack. Nonpublic information includes personally identifiable information, personal health information, and confidential business information. Companies must assess their specific risk profile, and design a comprehensive program that robustly addresses its risks. Additionally, covered organizations must file an annual report confirming compliance.
So, how can you meet compliance or check if you have met all requirements? Best practices for working towards compliance the NYDFS Cybersecurity regulation are outlined below. However, we highly recommend consulting with a qualified attorney or Cybersecurity professional to ensure that you have met all requirements.
Best Practices for Compliance
1. Have a Documented Cybersecurity Policy. The first step is simply having a documented cybersecurity policy. This needs to be approved by your company’s governing body and clearly show how you are protecting personally identifiable information, personal health information, and confidential business information. Written procedures outlining secure practices for the use of applications must also be documented.
Your cybersecurity policy should accomplish 6 core functions:
- Identify and assess internal and external cybersecurity risks that may threaten the security or integrity of nonpublic information stored on your Information Systems
- Use defensive infrastructure and the implementation of policies and procedures to protect your Information Systems from unauthorized access, use or other malicious acts
- Detect cybersecurity events
- Respond to identified or detected cybersecurity events to mitigate any negative effects
- Recover from cybersecurity events and restore normal operations and services
- Fulfill applicable regulatory reporting obligations
If any of these policies feel overwhelming, or if you are unsure your company has met all of them fully, we recommend consulting with an experienced cybersecurity professional. Please feel free to contact us for assistance.
2. Appoint a Chief Information Security Officer (CISO). According to the guidelines, an outside company (such as Touchstone) can fill this role. The CISO must report annually to your company’s governing body (most often a board of directors) on the cybersecurity policies and risks. To the extent applicable to your organization, a CISO can help ensure you have policies in place that are in line with the regulation, including:
Data governance and classification
- Information security
- Asset inventory and device management
- Disaster recovery planning
- Systems and network security/monitoring
- Physical security and environmental controls
- Customer data privacy
- Risk assessment and incident response
3. Conduct Risk Assessments. This entails conducting a periodic Risk Assessment of your Information Systems, and assessing the need for updates to your cybersecurity policies to address any changes in your business operations.
4. Encryption. Controls, including encryption, are mandated to protect nonpublic information at rest and in transit.
5. Employee Training and Certification. All employees implementing the regulations including contractors must be trained and certified. Additionally, you must limit user access privileges to Information Systems with access to nonpublic information.
6. Penetration Testing and Vulnerability Assessments. This involves annual penetration testing and bi-annual vulnerability assessments.
7. Third-Party Vendor Requirements. If your company deals with third-party vendors, you are required to have a set of documented policies to safeguard nonpublic information that any third-party vendor has access to.
8. Incident Response Plan. Have a detailed incident response plan prepared on what your company’s response will be within 72 hours if a security breach does occur. If an incident does occur, you must report the event to the DFS through the DFS portal.
9. Multi-factor Authentication. This must be implemented on all accounts with access to protected information.
10. Data Retention Requirements. A documented set of procedures for the safe disposal on a periodic basis of nonpublic information that is no longer used for business operations is required.
11. Submit a Yearly Certification to the NYDFS. This includes employee security awareness training, penetration testing results, and a risk and vulnerability assessment. Covered entities must file the Certification of Compliance each calendar year. This can be done through the DFS secure online portal. This year, the deadline was June 1st.
Without meeting compliance requirements, you are also at risk of incurring legal problems. Although the DFS has yet to impose a fine for inadequate cybersecurity compliance, 2020 may mark a change in this – in 2019, the DFS formed a Cybersecurity Division headed by a former federal cybercrime prosecutor. The purpose of this action was to lead enforcement of the Cybersecurity Regulation, and increased enforcement this year is anticipated.
Next Steps and Considerations
The cybersecurity requirements imposed by the NYDFS definitely work to deter many potential devastating breaches targeted at financial institutions. Simply having a cybersecurity policy and a response plan in place, conducting adequate security awareness training, and appointing a CISO to oversee your security substantially mitigates your risk of experiencing a cyberattack.
However, breaches targeted at financial institutions still happen. For instance, if you applied for a Capital One credit card in 2019, your data may have been compromised. In July of 2019, Capital One suffered a devastating data breach that resulted in the loss of the credit card applications of approximately 100 million individuals after a software engineer compromised a server. The hacker was able to exploit a misconfigured firewall to gain access to a vast database of users’ personal information including social security numbers, names, dates of birth, credit scores, and contact information.
Hackers have access to increasingly sophisticated methods for launching attacks at their fingertips, and it is essential for companies to protect themselves by meeting all applicable regulations and implementing proven methods that substantially mitigate your risk. Unfortunately, compliance does not 100% guarantee safety from cyberattacks. We recommend that companies consider enlisting an experienced team of professionals who provide security services that ensure compliance requirements are met while also going above and beyond with additional measures to safeguard your security.
It is also important to note in light of current events, that a statement released in April this year to all DFS covered entities urged them to remain vigilant in light of COVID-19. A significant increase in cybercrime has been noted recently given the heightened risks associated with remote work and increased phishing and fraud related to COVID-19. It is perhaps more important now than ever before to ensure your organization meets cybersecurity compliance, has implemented effective measures to mitigate your risk of a breach, and knows how to effectively respond in the event a breach does occur. Please note that this guide does not cover every control found in NYDFS Cybersecurity Regulation. Please see the regulation’s original text.
Still Have Questions?
If you are unsure if your company has met all applicable cybersecurity requirements, or if you would like advice on measures you can take to protect yourself from a cyberattack, contact us today for a free consultation session. One of our experienced CISOs will speak with you and identify steps you can take to begin working towards compliance requirements and greater protection from threats today.