The New York Department of Financial Services (NYDFS) first implemented 23 NYCRR 500 in 2017 to address cybersecurity risks among financial institutions and to protect consumers. Specifically, the regulation includes 23 sections detailing cybersecurity requirements financial institutions operating in the state must meet as well as guidelines for assessing and responding to cybersecurity risks.
The department has released continued guidance based on this regulation several times since 2017. Most recently, the NYDFS responded to the 300% increase in ransomware attacks in 2020 by issuing new guidance in June 2021 on how to prevent ransomware attacks through cybersecurity controls. Additionally, we started to see the first penalties for non-compliance issued over the past year, making it critical for every organization in the financial space to stay on top of new guidance from NYDFS as it relates to 23 NYCRR 500.
Take the risk out of your breach response
Automate your incident response today
Who Must Comply with 23 NYCRR 500
Any organization regulated under the Department of Financial Services, as well as third-party service providers to regulated entities (regardless of that provider’s regulation status), that engage in any financial business in the state of New York must comply with 23 NYCRR 500. This includes:
- State-chartered banks
- Private bankers
- Licensed lenders
- Mortgage companies
- Trust companies
- Service providers
- Insurance companies licensed to operate in New York
- Foreign banks licensed to operate in New York
The regulation only grants exceptions for organizations that:
- Employ under 10 people
- Produced less than $5 million in gross annual revenue from New York operations in each of the last three fiscal years
- Hold less than $10 million in year-end total assets
- Do not directly or indirectly operate, maintain, or control information systems and are not required to access, generate, receive, or possess nonpublic information
The regulation defines nonpublic information as (1) business related information that could adversely impact operations or security if tampered with, (2) any information that can be used to identify an individual in combination with social security number, identification number, account number, security code or password, or biometric information, and (3) any data except age or gender that comes from a healthcare provider and relates to physical, mental, or behavioral health, the provision of healthcare, or payment for healthcare.
How 23 NYCRR 500 Gets Enforced
As of May 2019, a newly created office under NYDFS known as the “Cybersecurity Division” is responsible for enforcing 23 NYCRR 500. This first-of-its-kind department is focused on protecting consumers and financial institutions from cybersecurity threats, with the powers to:
- Enforce cybersecurity regulations
- Advise on cybersecurity examinations
- Issue cybersecurity guidance, particularly as it relates to complying with 23 NYCRR 500 (e.g. standards for information systems, incident response procedures, certifications of compliance)
- Conduct cybersecurity investigations in partnership with the Consumer Protection and Financial Enforcement Division
- Share information about potential cybersecurity threats and trend data on attacks
The Cybersecurity Division’s enforcement powers under 23 NYCRR 500 include the ability to issue a consent order that covers a monetary penalty and guidance for program improvements and to file charges to be settled in a hearing.
Any penalties associated with non-compliance under 23 NYCRR 500 are dictated by Section 408 of New York’s Financial Services Law, which carries a penalty of up to $1,000 per violation. In a recent case of non-compliance, the Cybersecurity Division also sought charges for an additional $1,000 per violation for each instance involving nonpublic information, however this matter is yet to be decided.
What’s Covered in 23 NYCRR 500
23 NYCRR 500 includes 23 sections of guidelines for improving cybersecurity and assessing risks. Some of the major requirements under this regulation include:
- Implementing a cybersecurity program designed to protect the confidentiality, integrity, and availability of information systems. This program should identify and assess risks, use defensive infrastructure, and include capabilities to detect, respond to, and recover from cybersecurity events.
- Developing and maintaining a cybersecurity policy that outlines policies and procedures for protecting information systems and the data they contain. This policy should be based on the organization’s risk assessment and address information security, data governance, asset inventory, business continuity and disaster recovery plans, systems and network security and monitoring, customer data privacy, and incident response, among other areas.
- Appointing a Chief Information Security Officer who is responsible for overseeing and implementing the cybersecurity program and enforcing the cybersecurity policy. The CISO may be employed by the organization, a partner, or a third party service provider. The CISO must also deliver written reports on the cybersecurity program’s status to the company’s board of directors at least once a year.
- Conducting regular penetration testing and bi-annual risk assessments to evaluate the effectiveness of the cybersecurity program.
- Maintaining an audit trail designed to detect and respond to cybersecurity events that have a reasonable likelihood of harming normal business operations. Organizations must maintain these records for at least three years.
- Developing a written incident response plan so the organization can quickly respond to and recover from any cybersecurity event that affects the confidentiality, integrity, or availability of information systems or the continuing functionality of business operations.
Incident Response Measures Required by 23 NYCRR 500
Under 23 NYCRR 500, organizations must introduce an incident response plan so they are prepared to jump into action at any time following a cybersecurity event.
What is considered a cybersecurity event?
23 NYCRR 500 defines a cybersecurity event as any act or attempt (regardless of whether or not it’s successful) to gain unauthorized access to, disrupt, or misuse an information system or information stored on that system.
What does an organization’s incident response plan need to cover?
Each organization must develop a written incident response plan that includes:
- Clear internal processes for responding to a cybersecurity event
- The goals of the incident response plan
- Definitions for roles, responsibilities, and decision-making authority for anyone involved in incident response measures
- Guidelines for external and internal communications regarding the incident, such as notifications to regulators and consumers
- Clear requirements for how to remediate any weaknesses identified in information systems or associated controls following the incident
- How to document and support the cybersecurity event and related incident response efforts
- Any process for evaluating and revising the incident response plan following its use after a cybersecurity event
What type of notification is required for incident response?
Organizations must notify the NYDFS superintendent if they experience a cybersecurity event that:
- Requires notification to any government, supervisory, or self-regulatory body under other regulations
- Has a reasonable likelihood of materially harming any part of normal operations
It’s important to note that notifications to consumers in the case of a cybersecurity event that causes harm to individuals must follow the guidelines set forth by New York’s information security breach and notification law.
Regardless of any cybersecurity events occurring, each organization must also submit a written statement to the NYDFS superintendent annually by April 15 certifying that they are in compliance with the requirements of 23 NYCRR 500. The organization must maintain all records, schedules, and data supporting this compliance for five years.
If an organization must make improvements or updates to their cybersecurity program, policies, or systems, they must document these efforts — including what’s planned and what’s already underway — as part of this notification.
Examples of Incidents That Can Lead to Incident Response Under 23 NYCRR 500
Any cybersecurity event that meets the standard for affecting information systems or disrupting business operations will force organizations to go into incident response mode under 23 NYCRR 500. Common examples of these types of cybersecurity events include:
In a ransomware attack, hackers use malware to steal data and then hold that information captive in exchange for money. This type of attack has increased tremendously over the past several years. Any instance of ransomware, even in cases where the data gets retrieved, requires organizations to enact their incident response plan under 23 NYCRR 500 since information was exposed and systems were compromised.
A phishing attack occurs when hackers trick users into exposing sensitive data, like passwords or nonpublic account information, by posing as a legitimate user and simply asking for it or by sharing a malicious link. Any time an organization’s employees fall victim to a phishing attack, information gets exposed and systems can be compromised, triggering incident response efforts under 23 NYCRR 500.
Drive-By Download Attack
To execute a drive-by download attack, hackers install a malicious program on a computer without the user’s consent, often by hiding that program inside a legitimate website or application. This makes the user’s device vulnerable by giving the hacker access to hijack the device, spy on the user’s activity, or steal data. As a result, a drive-by download attack can expose information and compromise systems, making it a cybersecurity event that requires incident response measures under 23 NYCRR 500.
How Organizations Can Prepare to Comply with 23 NYCRR 500
Overall, 23 NYCRR 500 recognizes that cybersecurity events will occur and therefore focuses on keeping organizations prepared to detect and respond to these events. For example, it does this by requiring organizations to implement a cybersecurity program as well as a written incident response plan and by having organizations regularly assess and report on the effectiveness of those efforts.
Meeting these requirements means organizations must be proactive about both maintaining security and responding to any incidents that might occur. Looking at the incident response side, organizations should think through three essential phases to stay proactive:
23 NYCRR 500 makes incident response readiness a priority for organizations by requiring a written plan that documents how teams will respond and who will be involved. This type of readiness is also important given that organizations must notify the NYDFS superintendent of a cybersecurity event within 72 hours.
To get started with an incident response plan, organizations should review the requirements for the plan and response measures outlined by 23 NYCRR 500, plus any other relevant laws and contracts. Then, organizations can document a plan that meets these requirements.
When a cybersecurity event does occur, organizations must be ready to jump into action with their incident response plan in order to meet the 72 hour notification deadline.
The response phase requires organizations to identify that an incident occurred and then investigate what happened, including when and how the event occurred, what data was involved, and the impact on nonpublic information and business operations. From there, organizations can move to remediate the issue to protect against future cybersecurity events of a similar nature and issue the appropriate notifications as required under 23 NYCRR 500 and any other relevant laws.
3) Ongoing Management
Lastly, 23 NYCRR 500 requires organizations to regularly evaluate their cybersecurity program effectiveness and report on it annually. This effort ensures that organizations continue to protect against cybersecurity threats even as those threats evolve.
To best satisfy this type of ongoing management, organizations should introduce a centralized dashboard as a single source of truth for all monitoring, reporting, and incident response plans. It’s also important to make sure key stakeholders remain aligned on those plans so they know their responsibilities when an incident does occur.
What Does 23 NYCRR 500 Enforcement Look Like?
Although NYDFS first rolled out 23 NYCRR 500 in 2017, organizations had two years to fully comply with the regulation. As a result, we are first starting to see enforcement action for non-compliance. So far, there have been three notable cases of enforcement that demonstrate what organizations can expect.
Residential Mortgage Services Pays $1.5 Million Penalty Under 23 NYCRR 500
In March 2021, NYDFS entered into a consent order with Residential Mortgage Services, Inc. (RMS) for a penalty of $1.5 million due to failure to comply with the incident notification cybersecurity risk assessment requirements under 23 NYCRR 500.
Specifically, a regular assessment revealed that RMS experienced a data breach in 2019 due to a phishing attack that compromised the email account of an employee with access to nonpublic information (some of which was stored in the email account itself). RMS failed to investigate the incident and did not notify regulators or individuals. The same assessment also uncovered that RMS did not have any formal cybersecurity risk assessment measures in place, despite being required to do so under 23 NYCRR 500.
In response, NYDFS ordered RMS to pay a penalty of $1.5 million and to update its cybersecurity program to include more controls and proactive assessments. This enforcement action highlights the importance of complying with the proactive protection elements of 23 NYCRR 500.
First American Title Insurance Company Faces Enforcement Action from NYDFS
In July 2021, NYDFS filed a statement of charges against First American Title Insurance Company alleging that a vulnerability in the company’s information systems exposed nonpublic information about consumers over several years and that the company failed to fix the issue after discovering it in 2018.
The statement of charges alleges that First American violated six provisions of 23 NYCRR 500, including not following set cybersecurity policies for the organization, not assessing security risks, and not investigating the vulnerability following its discovery.
This is the first case in which NYDFS has filed charges under 23 NYCRR 500 (as opposed to reaching a settlement on enforcement action), and they are seeking $1,000 per violation under Section 408 of the Financial Services Law as well as a separate $1,000 per violation for each instance involving nonpublic information.
First Unum and Paul Revere Insurance Companies Pay $1.8 Million Penalty Under 23 NYCRR 500
In May 2021, NYDFS entered into a consent order with First Unum Life Insurance Company of America and Paul Revere Life Insurance Company of America for a penalty of $1.8 million due to falsely certifying compliance with 23 NYCRR 500.
The joint companies experienced phishing incidents and investigated those incidents in 2018, however they failed to implement more secure access controls (e.g. multi-factor authentication) in response to the incidents. As a result, NYDFS found they falsely certified their compliance with 23 NYCRR 500 after the incidents since they did not take the appropriate measures to tighten security around a known area of vulnerability.
NYDFS not only fined the companies $1.8 million as a penalty for non-compliance, but also entered into an agreement with them to improve their cybersecurity programs, in part by hiring a third party to audit access controls.
Proactive Incident Response Must be a Priority
23 NYCRR 500 emphasizes the importance of proactive protections for cybersecurity and overall preparedness for incident response by requiring financial institutions to have plans in place and regularly evaluate the effectiveness of those efforts. This type of proactivity is essential at a time when cybersecurity threats are increasing significantly.
Being proactive in this way requires organizations to stay up to date on evolving regulations like 23 NYCRR 500 and plan incident response measures ahead of time, including what efforts they’ll take when an incident occurs and who will be responsible for each step along the way. It also requires regularly assessing threats and changes to privacy laws so that organizations can adjust response plans as needed.