It’s nerve-wracking. You are sitting at your desk and receive notification from the New York Department of Financial Services (NYDFS). The notice tells you your organization failed to file a cybersecurity regulation Certification of Compliance under 23 NYCRR 500.
The NYDFS is saying that failing to submit a Certification of Compliance will be taken as a sign that your organization’s cybersecurity program has a “substantive deficiency.”
The truth is, while the regulation covers a lot of ground, your organization is likely already doing what it needs to comply. Having strong security controls for financial institutions and these new rules simply codify the importance of establishing – and documenting – basic security practices to protect your organization.
In basic terms, the regulation can be broken down into three areas of concern: implementation of a cybersecurity program, establishment of appropriate oversight for that program and meeting the deadlines for individual requirements. The bulk of the mandates within this regulation are standard parts of any cybersecurity program, and include best practices such as access reviews, multifactor authentication and management of third-party vendors, to name a few.
Organizations should begin by comparing each of the requirements to their current security controls and documenting how they are addressing the mandates. Engage Internal Audit teams to help independently assess overall compliance, and address any area not fully aligned with a requirement. While independent assessment is not required, it’s a great way to validate a company’s cybersecurity posture.
There are elements of the new regulation that are somewhat vague. For example, in the section on incident response (500.16), the rules state that “…each Covered Entity should establish a written incident response plan designed to promptly respond to, and recover from, any Cybersecurity Event materially affecting the confidentiality, integrity or availability of the Covered Entity’s Information systems or …business operations.” However, the rules do not specifically define what “promptly respond” or “materially affecting” mean.
Other confusion has stemmed from discerning what exactly constitutes a “covered entity.” The regulation, which sets certain parameters according to size and revenue, covers more than just banks. It also affects mortgage companies, insurance agencies doing business in New York, service providers, and others. According to the NYDFS, people who received notifications like the one mentioned at the start of this blog are required to file the Certificate of Compliance even if they filed for an exception under 23 NYCRR Part 500.19.
All of this can seem overwhelming, particularly for smaller financial organizations. However, since the law does not directly mention penalties, includes varying deadlines for different aspects of the regulation, and contains a myriad of exemptions, there is less cause for anxiety compared to other regulations such as the General Data Protection Regulation (GDPR). Still, given the uncertainty regarding how a lack of compliance may be used against a company in the event of a breach, it is important that organizations assess and document their security posture against the regulation and submit a certification of compliance to the NYDFS.
More importantly, companies must remember that compliance is the result of good security, and not the other way around. Prioritizing the protection of customer data and IT assets will provide a jump start on any regulatory and legislative mandates that appear.