NYDFS Cybersecurity Regulation: Curse or Blessing?

  • Financial Services,  

How New York’s new cybersecurity regulation impacts financial institutions

The recent Capital One data breach – affecting around 100 million people in the United States and compromising 140,000 social security numbers and 80,000 bank account numbers – is the latest in a long series. In 2018 alone, more than one billion people were affected by cyber attacks. The direct financial costs are huge, with the average cost of a breach around $8.9 million in the U.S., according to the 2019 Cost of a Data Breach Report. Added to these are vast, intangible damage to brand equity, customer trust, and intellectual property.

When companies engage with vendors, also known as third party service providers, they must address a particular set of cyber threats: 56% of respondents to a 2018 survey saying they had experienced a breach that was caused by one of their vendors.

In response to such challenges, the New York State Department of Financial Services (NYDFS) has put in place a cybersecurity regulation that protects customer privacy with breaching reporting requirements and limited data retention policies aimed at the financial services industry. Providing a framework to protect the confidentiality, integrity and availability of IT systems, the regulation, 23 NYCRR 500, came into effect on March 1, 2017. A two-year transitional period expired on March 1, 2019, bringing into effect the regulation’s final requirement, which covers supply chain cybersecurity (see panel below). The regulation is similar to the European Union’s General Data Protection Regulation (GDPR), launched in May 2018.

NYDFS Cybersecurity Regulation provisions in effect from March 1, 2019:

Section 500.11: Third Party Service Provider Security Policy

Covered entities must implement policies and procedures – designed to ensure the security of information systems and nonpublic information that are accessible to third party service providers (vendors) – which address:

Identification and risk assessment of vendors

Minimum cybersecurity practices required for vendors

Due diligence processes to evaluate vendors’ cybersecurity practices

Periodic assessment of vendors based on the risk they present and the adequacy of their cybersecurity practices

Development of guidelines for due diligence and/or contractual protections, including:

Vendor use of multi-factor authentication and encryption

Notice of cybersecurity breaches impacting the covered entity’s data held by vendors

Warranties addressing the vendor’s cybersecurity policies and procedures

Managing risks and liabilities

To manage the risks and potential liability that come with New York’s first-of-its-kind cyber regulation, covered entities must implement “oversight and management of third-party service providers, or TPSPs, [that] will expand well beyond traditional vendor management functions and deep into contracting, diligence and stakeholder review,” writes Law.com. Covered entities require a highly structured and organized approach to vendor management, with “consistent application of thoughtful, risk-based rules, all within a third-party ecosystem growing in size, complexity and risk,” states the website. Once security risks have been assessed, covered entities need to develop policies for data governance, classification, access controls, system monitoring, and incident response and recovery.

The NYDFS cybersecurity regulation applies to organizations that “operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.” This includes commercial banks, credit unions, health insurers, investment companies, mortgage brokers, and offices of foreign banks.

At present, New York State Department of Financial Services (DFS) is responsible for regulating nearly 1,500 financial institutions with assets of more than $2.6 trillion dollars, and 1,400 insurance companies and 300,000 individual licensees with assets of more than $4.7 trillion. 

Potential penalties still unclear

As Lexology writes, “it is unclear at this time what the penalties for noncompliance with the Regulation will be, other than fines. There has not been much enforcement to date, though the Department of Financial Services sent notifications to covered entities that had not filed their certification, as required by Section 500.21. Such notifications may be followed by harsher warnings.”

Some online commentators assert that violations could incur fines of $250,000 or 1% of total banking assets. Others believe that NYDFS will calculate fines based on the existing New York Banking Law, which provides for: $2,500/day while the violation continues; $15,000/day if there is any reckless practice or pattern of misconduct; and $75,000/day if there is a willful violation.

Meanwhile, the NYDFS clearly has an appetite for fines, with a July 22, 2019, agreement reached with the state governor and state attorney general to settle with Equifax for $19.2 million over the company’s July 2017 data breach.

Talk to Cybeta to learn how to protect your company from the risk of similar penalties.

About Cybeta

For information on Cybeta™, a suite of intelligence products and services designed to help keep your business off the Cyber X, or to schedule a free in-person assessment, contact David Durant, MBA, Lead, Cybersecurity Product Development at Cybeta, at david.durant@cybeta.com.

Key State Legislation: NY and SC

New York State Department of Financial Services (NYDFS) cybersecurity requirements for financial services companies (23 NYCRR 500) took effect on March 1, 2017, “This regulation requires each company to assess its specific risk profile and design a program that addresses its risks in a robust fashion,” according to NYDFS). A two-year transitional period ended on March 1, 2019, bringing into effect the regulation’s final requirement, covering supply chain cybersecurity.

On July 25, 2019, New York Governor Andrew M. Cuomo signed the Stop Hacks and Improve Electronic Data Security (SHIELD) Act (S.5577B/A.5635), which imposes stronger obligations on businesses handling private data to provide notification to affected consumers when there is a security breach.

South Carolina’s Insurance Data Security Act, aimed at improving cybersecurity came into effect at the start of 2019.