September 9, 2022
New York State Department of Financial Services created the 23 NYCRR Part 500 a cybersecurity regulation on March 1st, 2017. This regulation applies to organizations and agencies in the financial service industry. Entities such as Mortgage banks, Insurance firms, and Private lenders are required to comply.
A strong cybersecurity stance allows you or your IT department to submit and monitor necessary logs, and easily identify risk-based policies that limit access to nonpublic information.
Failure to comply with 23 CRR 500 can result in massive financial penalties for your organization. Failure to comply with FFIEC guidelines can result in penalties totaling $ 2 million. In 2018, NYSDFS issued a $1.8 million dollar fine to a New York State insurance company that failed to implement multi-factor authentication, an explicit control required by NYSDFS CRR 500.12(b).
In addition, under 23 NYCRR 500.17(a)(2), Cybersecurity Events must be reported to the Department if they “have a reasonable likelihood of materially harming any material part of the normal operation(s) of the Covered Entity.”
On July 29th, 2022 NYSDFS announced new changes to multiple sections of the current cybersecurity regulations. The changes proposed introduced new requirements for “CLASS A” companies, those earning over $1 billion in gross annual revenues over the last three years and over 2,000 employees. The requirements for CLASS A companies have more components for regulation, such as a weekly vulnerability assessment and EDR requirements.
Below, we will review a few of the proposed changes and what that means for your business.
A new component of the amendments increases the roles and authority of the Chief Information Security Officer (CISO) to ensure cyber risks are properly managed and in a timely manner.
According to section 500.4 amendments, “The CISO must have adequate independence and authority to ensure cybersecurity risks are appropriately managed”. Additionally, the CISO will include in their annual written report plans for remediating identified weaknesses, and report to the senior management or board on the entity’s risk assessment, and major cyber events.
Additionally, 500.4 amendments require the board (or committee of the board) to have sufficient expertise and knowledge, or someone to advise on the effective oversight of cyber risk, along with a subcommittee assigned responsibility for cybersecurity.
What do these changes mean for my cyber program?
To further increase continuous monitoring requirements, a pen test must be performed by a qualified independent party. Those considered a “CLASS A” company (over 2,000 employees) will conduct systematic scans at least weekly. Gaps found during testing will be documented and reported to senior management.
What is not considered continuous monitoring?
The new amendments expand on the importance of multifactor authentication, the CISO must now approve in writing the compensating controls that achieve reasonably equivalent security when MFA is not enforced on a privileged account. The new amendments also require MFA specifically for remote access to the network and third-party applications that contain non-public information.
Secure End Solution has constantly enforced and highlighted the importance for our clients to implement Single Sign On (SSO) for third-party enterprise applications and enforce MFA across all accounts. The proposed amendments for this section, in our opinion, is the single most significant change.
What do these changes mean for my cyber program?
The new amendments require CLASS A companies to adopt a SIEM, or centralized logging and security event alerting solution. Otherwise, all companies must implement an email spam filtering solution and provide yearly training for all employees.
What do these changes mean for my cyber program?
We can increase your cybersecurity stance before an audit. Schedule a free consultation with our cyber team today.
Network experts dedicated to 99.9% uptime