May 20, 2022
New York State Department of Financial Services made the 23 NYCRR Part 500 a cybersecurity regulation on March 1st, 2017. It applies to organizations and agencies in the financial service industry. Companies such as Mortgage Banks, Insurance Firms, and Private Lenders are required to comply.
Overall, an IT Audit will evaluate your cybersecurity program and require you to submit documentation on the programs, systems, controls, policies, and procedures for your current cybersecurity program.
A good cybersecurity stance will enable you or your IT department to submit necessary logs, verify monitoring, or easily identify risk-based policies that limit access to nonpublic information.
Failure to comply can result in massive financial penalties for your organization. Failing to comply with FFIEC guidelines can result in penalties totaling $2million. In 2018, NYSDFS issued a $1.8 million dollar fine to a New York State insurance company who failed to implement multi-factor authentication, an explicit control required by NYSDFS CRR 500.12(b).
In addition, under 23 NYCRR 500.17(a)(2), Cybersecurity Events must be reported to the Department if they “have a reasonable likelihood of materially harming any material part of the normal operation(s) of the Covered Entity.”
Encryption is key to protecting nonpublic information, but is not only limited to hard-drives as some may think. The CISO must review compensating controls to non encrypted systems or methods of transportation annually.
What should my cyber program be encrypting or using?
When encryption cannot be used, such as an in-house database or application, your CISO should implement a compensating control to make up for the loss of security. These control methods should be reviewed for effectiveness and risk level annually.
An important component of a strong cybersecurity stance is active monitoring for cyberthreats. Section 500.5 points out that “continuous monitoring” can be attained through a combination of technical tools, controls, systems, or programs that detect changes and vulnerabilities on systems.
What’s not considered continuous monitoring?
Depending on your business, you may have continuous monitoring in place for various IT systems. It is important to implement active monitoring on all IT systems that contain PII.
Want to learn more about our approach to high-level monitoring and how we can identify and protect your network? Check out our Secure247+ Cybersecurity Program
Utilizing qualified cybersecurity personnel or a qualified third party to address cybersecurity risks such as the Log4j Vulnerability is a commonly overlooked requirement when adopting a cybersecurity program. This provider should provide your employees with cybersecurity training, be alerted to unauthorized login attempts on IT systems, and implement risk-based policies to control or limit access to nonpublic information.
What should I be looking for in my Cyber Program or Provider?
We can increase your cybersecurity stance before an audit occurs.