Since the regulation came into effect in March 2019, the New York State Department of Financial Services (DFS) continues to strengthen the way that it enforces the Cybersecurity Regulation 23 NYCRR Part 500. With 23 distinct sections of the regulation, DFS requires a comprehensive cybersecurity program for “Covered Entities”, including appointing a Chief Information Security Officer, undertaking periodic risk assessments, and maintaining a cybersecurity program that includes access controls, network security assessment, disaster recovery planning, and attendant policies and procedures. A certificate of compliance must be filed annually with DFS. View the DFS regulation.
Just in the past couple of months, New York State DFS announced that they have reached settlements with two regulated entities for failures to report cyber breaches in a timely manner as required by section 500.17 of the regulation. On March 3, 2021, DFS announced that Residential Mortgage Services, Inc. (RMS), a licensed mortgage banker, agreed to pay a $1.5 million penalty for failure to report a breach of sensitive personal data to the Superintendent of Financial Services. Further, RMS failed to conduct a comprehensive Cybersecurity Risk Assessment, which is required under section 500.9 of the regulation.
Similarly, DFS announced on April 14, 2021 that National Securities Corporation (“National Securities”), a licensed insurance company, agreed to pay a $3 million penalty for failing to report a series of cybersecurity breaches that occurred between 2018 and 2020. DFS also reported that the entity failed to implement Multi-Factor Authentication as required by section 500.12 of the regulation.
Is your business subject to DFS regulation and considered a “Covered Entity”?
All businesses operating in New York under a license, registration, charter, certificate, permit, or similar authorization under the Banking Law, the Insurance Law, or the Financial Services Law must comply with the DFS regulations. The list of businesses that must comply is a lengthy one and includes banks, credit unions, insurance adjusters, bail agents, credit reporting agencies, health service providers, insurance agencies, insurance companies, service contract providers, and student loan servicers. A full list of businesses supervised by DFS can be found here.
Please contact FoxPointe Solutions today if you have any questions pertaining to compliance with New York State DFS regulations.
Sources:
- https://www.dfs.ny.gov/reports_and_publications/press_releases/pr202103031
- https://www.dfs.ny.gov/reports_and_publications/press_releases/pr202104141
This article was written and produced by Christopher Salone, CCSFP, MBA, FoxPointe Solutions. Looking to get in touch with Christopher? Reach out today: csalone@foxpointesolutions.com.
FoxPointe Solutions is solely responsible only for the content of FoxPointe Solutions authored information and is subject to change at any time. Any forward-looking statements are not predictions. FoxPointe Solutions is not responsible for any errors or omissions, or for the results obtained from the use of this information. Questions regarding your legal or compliance position should be addressed through your legal counsel, security advisor and/or your relevant standard authority. Nothing contained herein should be used nor relied upon as advice nor constitute a consultant-client relationship.