Cyberattacks are on the rise, with bad actors accelerating their nefarious collection of personally identifiable information (PII). According to an IBM study, customer PII was included in 44% of all breaches in 2021, which cost organizations an average of $180 per lost or stolen record. As you can figure, breaches are costly — but more importantly, they compromise the identities and sensitive information of customers and erode the trust of the compromised companies.
It should come as no surprise then that cybersecurity legislation and regulation in the U.S. are on the rise. Many states, federal agencies, and industry sectors are defining and beginning to enforce new regulations intended to address the rising tide of cyberattacks and get more organizations practicing better cybersecurity. The good news about this trend? These new regulations have a strong propensity to make a positive impact on the security of U.S. organizations. The bad news? It can be very difficult for business and security leaders to keep track of, understand, and comply with all the regulations that govern their industry, and the new ones just add to the confusion.
One of the first state-based compliance mandates that has impacted the financial services industry is defined and imposed by the New York Department of Financial Services, or NYDFS.
The NYDFS recognized the significant risk of cyberattacks to financial businesses that operate in the state and their customers, so it took action. In 2017, NYDFS adopted a set of regulations, 23 NYCRR 500, that places strict cybersecurity requirements on financial services companies that do business in the state of New York and related third-party service providers to defend against cyberattacks. They need to know what the regulation requires, which companies must comply, and similar laws that overlap the provisions of this one.
The NYDFS regulation
The regulation aims to protect financial businesses from commercial loss and customers from loss of PII that may be stolen, used to commit crimes, or sold on the dark web. The regulation requires that businesses meet specific standards to ensure the security of their information systems. Here are some important actions that the financial services companies must execute:
• Maintain a cybersecurity program. The program must be based on a risk assessment and should identify and assess risks; use defensive infrastructure, policies, and procedures to protect information systems; detect, respond, and recover from cybersecurity events; and complete all reporting obligations.
• Implement and maintain a cybersecurity policy. The policy must address numerous areas including asset inventory and device management; business continuity and disaster recovery planning; systems and network monitoring; customer data privacy; risk assessment; incident response; and third-party service provider management to name a few.
• Designate a chief information security officer (CISO). The CISO must oversee and implement the cybersecurity program and enforce the policy. Note that the CISO can be a virtual representative, or vCISO, from an affiliate or third-party provider.
• Perform testing and assessments. Each business must conduct penetration testing and vulnerability assessments to evaluate the effectiveness of its cyber program. Also, a periodic risk assessment must be completed and updated to address any changes and allow for revisions in order to respond to technological developments and evolving threats.
• Comply with notice and reporting requirements. The CISO must report at least once each year on the cybersecurity program and cyber risks. If a cyber event occurs, notification to NYDFS is required within 72 hours.
These are just a handful of the required actions. If a financial business doesn’t meet the requirements, it may be subject to fines, penalties, enforcement actions and even license revocation. Penalties can reach into the millions of dollars.
NYDFS oversees more than 1,400 financial institutions with assets of more than $2.9 trillion and nearly 1,800 insurance companies with assets of $5.5 trillion. The regulation applies to all these businesses including state-chartered banks, trust companies, credit unions, credit rating agencies, mortgage loan originators and servicers, investment companies, insurance companies and foreign financial institutions that operate or do business within New York.
In addition, the regulation extends to third-party service providers, or businesses that are affiliates of, provide services to or handle nonpublic information of a NYDFS-covered business. If your business falls under one of these categories and is not an exempt business, you must be in compliance with the regulation, with a requirement to provide an annual certification of compliance.
New York was the first state to put this landmark regulation in place. Since its inception, other states, including South Carolina, Ohio, Michigan and Mississippi, have enacted similar laws, and more states are expected to follow suit. A few laws overlap the provisions of the NYDFS regulation, including:
• Gramm-Leach-Bliley Act. This federal law requires financial institutions to tell customers how they share information, explain that they have a right to opt-out of sharing and adopt a written information security plan to safeguard customers’ information.
• SHIELD Act. The Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) requires New York companies to establish reasonable safeguards to protect private information and give notification in the event of a data breach.
• SEC proposal. In February 2022, the Securities and Exchange Commission (SEC) proposed cybersecurity rules for investment firms, financial advisers and business development companies. If passed, these rules will require written policies and procedures and mandate recordkeeping, confidential reporting and disclosure if an incident occurs. Still a work in progress, the complexity of these new rules will likely require most business or security leaders to work closely with their legal and technical teams to understand and abide by all of the SEC’s final guidelines.
• Department of Labor (DOL) cybersecurity guidelines. The Employee Benefits Security Administration of the DOL has issued recent best practices for cybersecurity that fiduciaries of ERISA1-covered plans should comply with in order to “ensure proper mitigation of cybersecurity risks.”
Looking here just at the NYDFS regulation and a few related acts and proposals, it’s easy to see how challenging it is to keep up with new mandates and to know what security solutions and expertise to have in place to “check off all the boxes” for compliance.
If you’re not sure whether and how you should abide by NYDFS or any of the regulations that govern your industry, seek guidance from your law firm and trusted cybersecurity advisors. Having provided Managed Detection and Response, Incident Response, Vulnerability Management and Cybersecurity Advisory Services for many years now, Pondurance has frequently been called upon to help navigate the confusing compliance landscape. And while we can bring a technical perspective to the compliance conundrum, cybersecurity legal experts understand the laws and can provide critical guidance to the legal nuances and implications of regulations and compliance.
Best next step
Pondurance can perform a risk assessment to evaluate your cybersecurity risk and then recommend policies and procedures to address your risk. We also can supplement or function as your cybersecurity team with our Managed Detection and Response, Incident Response, and vCISO services.
For additional information on the regulations, check out our FAQs.
1 Employee Retirement Income Security Act of 1974, https://www.dol.gov/general/topic/health-plans/erisa