August 31, 2022
New York State Department of Financial Services made the 23 NYCRR Part 500 a cybersecurity requirement on March 1st, 2017. This regulation applies to organizations and agencies in the financial service industry. Commonly regulated entities include private bankers, cryptocurrency companies, mortgage loan providers, and insurance companies.
The cybersecurity requirements of NYSDFS are complex, and typically require a full-time contractor, third-party cyber company, or Chief Information Security Officer (CISO) to enforce policies and oversee the technology, reporting, policies, and submissions/notifications.
If your company does not fall under the exceptions above, you should consider adopting an effective cyber program which covers compliance requirements of NYS CRR 500.
Failure to comply or pass an audit will result not only in hefty financial penalties, it may generate bad press and public distrust in your company to securely store their data. In 2022, NYSDFS issued a $30 million dollar fine to Robinhood Crypto for deficiencies in their cyber program detailed below.
In addition, under 23 NYCRR 500.17(a)(2), Cybersecurity Events must be reported to the Department if they “have a reasonable likelihood of materially harming any material part of the normal operation(s) of the Covered Entity.”
Section 500.08 requires an entity to have a cybersecurity program with written procedures, guidelines, and standards that in-house applications, and developed in house applications adhere to. These policies must be periodically reviewed by the CISO.
When you bring in a new third-party vendor, your company becomes exposed to that vendor’s cybersecurity risks. The more third-party vendors with access to your sensitive data, the higher your risk becomes of cyber attacks and exploits.
What are some third-party vendor regulations?
It is more important now than ever before to perform due diligence before bringing in a new technology partner or vendor. This is extremely important when selecting a high-risk vendor who will either be accessing NPI, or storing NPI on your entities behalf.
Secure End Solution is hyper-focused on cybersecurity. We understand the risks involved as an MSP for financial service industries. We take a responsive and transparent approach with our clients, and continually re-train our knowledge with new technology. Our partnership with FCI Cybersecurity provides our team with additional separation of duties, checks and balances, and cybersecurity standards that other MSP’s cannot leverage.
Not sure where to start with the identification of third-party vendor access, controls, and required cybersecurity restrictions? Request a third-party vendor checklist.
Utilizing qualified cybersecurity personnel or a qualified third party to address cybersecurity risks such as the Log4j Vulnerability is a commonly overlooked requirement when adopting a cybersecurity program. This provider should provide your employees with cybersecurity training, be alerted to unauthorized login attempts on IT systems, and implement risk-based policies to control or limit access to nonpublic information.
What should I be looking for in my Cyber Program or Provider?
Learn about what is required for an effective cyber program before an audit occurs.