Cyberattacks are on the rise, with malicious actors accelerating their nefarious collection of personally identifiable information (PII). According to a IBM study, customer personal information was included in 44% of all breaches in 2021, costing businesses an average of $180 per lost or stolen record. As you can see, breaches are costly, but more importantly, they compromise the identity and sensitive information of customers and erode the trust of compromised businesses.
It should therefore come as no surprise that cyber security legislation and regulation in the United States is on the rise. Many states, federal agencies, and industry sectors are defining and beginning to enforce new regulations intended to address the growing wave of cyberattacks and incentivize more organizations to practice better cybersecurity. The good news of this trend? These new regulations have a strong propensity to have a positive impact on the security of American organizations. The bad news? It can be very difficult for business and security leaders to keep up with, understand and comply with all the regulations that govern their industry, and the news only adds to the confusion.
One of the first state-based compliance mandates that impacted the financial services industry was defined and imposed by the New York Department of Financial Servicesor NYDFS.
The NYDFS has recognized the significant risk of cyberattacks to financial firms that operate in the state and their customers, so it has taken action. In 2017, NYDFS adopted a set of regulations, 23 NYCRR 500, which imposes strict cybersecurity requirements on financial services companies operating in New York State and associated third-party service providers to defend against cyberattacks. They need to know what the regulations require, which companies must comply, and similar laws that overlap with its provisions.
The NYDFS Regulation
the regulation aims to protect financial businesses from commercial loss and customers from the loss of PII that can be stolen, used to commit crimes or sold on the dark web. The regulation requires companies to comply with specific standards to ensure the security of their information systems. Here are some important actions that financial services companies should perform:
• Maintain a cybersecurity program. The program should be based on a risk assessment and should identify and assess risks; use defensive infrastructure, policies and procedures to protect information systems; detect, respond to and recover from cybersecurity events; and fulfill all reporting obligations.
• Establish and maintain a cybersecurity policy. The policy should address many areas, including asset inventory and device management; business continuity and disaster recovery planning; monitoring of systems and networks; confidentiality of customer data; risk assessment; incident response; and managing third party service providers to name a few.
• Appoint an information security officer (ROI). The CISO must oversee and implement the cybersecurity program and enforce the policy. Note that the CISO may be a virtual representative, or vCISO, of an affiliate or third-party provider.
• Perform tests and assessments. Every company should perform penetration testing and vulnerability assessments to gauge the effectiveness of their cyber program. Additionally, a periodic risk assessment should be performed and updated to account for any changes and allow for revisions to respond to technological developments and evolving threats.
• Comply with the notice and reporting requirements. The CISO must report at least once a year on the cybersecurity program and cyber risks. If a cyber event occurs, notification to NYDFS is required within 72 hours.
These are just some of the actions required. If a financial firm fails to meet the requirements, it may be subject to fines, penalties, enforcement action and even license revocation. Penalties can reach millions of dollars.
NYDFS oversees more than 1,400 financial institutions with assets of over $2.9 trillion and nearly 1,800 insurance companies with assets of $5.5 trillion. The settlement applies to all such businesses, including state-chartered banks, trust companies, credit unions, credit rating agencies, mortgage loan originators and managers, investment companies , insurance companies and foreign financial institutions that operate or do business in New York.
In addition, the regulation extends to third-party service providers or businesses that are affiliated with, provide services to, or process nonpublic information of a NYDFS-covered business. If your business falls into one of these categories and is not exempt businessyou must comply with the regulations, with the obligation to provide an annual certificate of compliance.
New York was the first state to implement this landmark regulation. Since its inception, other states, including South Carolina, Ohio, Michigan and Mississippi, have enacted similar laws, and more states are expected to follow suit. A few laws overlap with the provisions of the NYDFS Regulations, including:
• Gramm-Leach-Bliley law. This federal law requires financial institutions to tell customers how they share information, explain that they have the right to opt out of sharing, and adopt a written information security plan to protect customer information.
• SHIELD Act. The Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) requires New York businesses to put in place reasonable safeguards to protect private information and to notify in the event of a data breach.
• SEC proposal. In February 2022, the Securities and Exchange Commission (SEC) proposed cybersecurity rules for investment firms, financial advisers and business development companies. If adopted, these rules will require written policies and procedures and will require record keeping, confidential reporting and disclosure in the event of an incident. Still a work in progress, the complexity of these new rules will likely require most business or security leaders to work closely with their legal and technical teams to understand and comply with all final SEC guidance.
• Department of Labor (DOL) Cybersecurity Guidelines. The DOL Benefits Security Administration recently released cybersecurity best practices that ERISA trustees– the plans covered must comply in order to “ensure a good mitigation of cybersecurity risks”.
Looking here just at NYDFS regulations and a few related laws and proposals, it’s easy to see how difficult it is to keep up with new mandates and what security solutions and expertise to put in place to “check all the boxes” for compliance.
If you are unsure if and how you must comply with the NYDFS or any of the regulations that govern your industry, seek advice from your law firm and trusted cybersecurity advisors. having provided managed detection and response (MDR), incident response (IR), vulnerability management and cybersecurity Advisory services For many years now, Pondurance has been frequently called upon to help navigate the confusing landscape of compliance. And while we can bring a technical perspective to the compliance conundrum, cybersecurity legal experts understand the laws and can provide critical advice on the legal nuances and regulatory and compliance implications.
next best step
Pondurance can perform a risk assessment to assess your cybersecurity risk and then recommend policies and procedures to address your risk. We can also complement or function as your cybersecurity team with our Managed detection and response, Incident Response and vCISO services.
For more information on regulations, see our FAQs.
 Employees Retirement Income Security Act of 1974, https://www.dol.gov/general/topic/health-plans/erisa