New York’s cybersecurity regulations for financial services institutions (and their contractors!) have been law for just shy of a year, and that means there’s a swath of deadlines approaching.
There are hundreds of affected companies in Rochester and Buffalo, and most of them don’t have enough in-house resources or IT experience to comply with the burdensome regulations. In fact, a recent survey from the Ponemon Institute found that only 13% of respondents were confident they would be ready by the February 15th deadline.
Companies that try to tackle compliance alone will need to totally rethink their network security to avoid heavy fines and stiff penalties. There are three deadlines in 2018, so preparing your organization is not a one-and-done deal -- it’s an ongoing process that requires ongoing support from a managed IT services provider like Capstone.
Financial services businesses supported by our team will find it relatively easy to comply with New York State Department of Financial Services (NYDFS) regulations on account of our network security specializations and 24/7 monitoring practices.
The earlier that financial institutions contact us, the easier their transition will be. But if you want a little more information before calling, here are answers to all your NYDFS questions:
- What are the NYDFS regulations?
- Whom do these regulations apply to?
- How do covered entities comply with the rules?
- August 28, 2017 requirements
- February 15, 2018 requirements
- March 1, 2018 requirements
- September 3, 2018
- March 1, 2019
- Ongoing requirements
- What are the penalties for noncompliance?
- Does compliance guarantee my safety?
- How much experience does Capstone IT have supporting financial institutions?
The final version of the rules were released on February 16th, 2017, and focus on “ensuring the safety and soundness of New York State’s financial services industry” in the face of an unprecedented number of sophisticated cyber attacks.
These regulations are enforced by the New York State Department of Financial Services and are listed in the New York Codes, Rules and Regulations as 23 NYCRR Part 500. These statutes require financial businesses to protect “nonpublic” information by implementing certain cybersecurity minimums.
The cyber-security regulations cover any organization licensed through the NYDFS. Common examples of covered entities include:
- Budget planners
- Check cashers
- Credit unions
- Licensed lenders
- Mortgage brokers
Businesses licensed through NYDFS will be exempt if they:
- Employ fewer than 10 employees
- Made less than $5 million in gross annual revenue for the past three years, or
- Have less than $10 million in year-end total assets
For more details on which businesses are currently affected by 23 NYCRR Part 500, visit the Who We Supervise page on the program’s website.
Keep in mind that by early 2019, the scope of these regulations will spread to all third-party vendors and the financial institutions they work with (more on that below).
Considering the complex and far-reaching nature of the regulations, there was no way they could be rolled out all at once. There are five important cyber-security deadlines for financial services companies in New York, the first of which our team covered in a community event at our office:
August 28, 2017: 180 days after 23 NYCRR Part 500 was enacted, certain best practices became mandatory for all covered entities:
- A Chief Information Security Officer (CISO) must be appointed. The regulations specifically state that an outside party can fill this role, such as a technician from Capstone IT.
- The covered entity must draft a written cybersecurity policy that protects personally identifiable information, protected health information, and confidential business information. This policy must be approved by the company’s board of directors.
- Every employee managing and implementing the policy must be properly trained and certified (this applies to in-house staff and contractors).
- Although mostly open-ended, a company’s policy must contain a detailed incident response plan that displays the ability to recognize and report a security breach within 72 hours.
- All accounts with access to protected information must require multi-factor authentication.
February 15, 2018: Starting one year after these regulations become law, all covered entities will be required to submit an annual certification to the NYDFS. This can be done via the department’s secure web portal. All technical documents and materials outlining how compliance was achieved should be kept on file, but covered entities will not be required to submit them during the certification process.
March 1, 2018: The CISO’s first annual report to a covered entity’s board of directors is due. This must include a risk and vulnerability assessment, security awareness training, and the results of a penetration test -- all of which Capstone IT clients already receive.
September 3, 2018: Security procedures, guidelines, and standards for all current business applications must be audited. Additionally, all regulated data handled by these applications must be encrypted and safely erased when it is no longer necessary for business operations.
March 1, 2019: Just over two years after these regulations have gone into effect, covered entities must finalize cyber-security policies to govern third-party service providers. Similar to the Health Insurance Portability and Accountability Act (HIPAA), entities covered by 23 NYCRR Part 500 may be liable for breaches caused by a contractor with access to the covered entity’s systems.
For example, if a credit union has an outside attorney with access to account holder data, and the attorney compromises the security of that information, the credit union could be on the hook.
Ongoing requirements: In 2019, these regulations will be in full effect. New companies that fall under the definition of a covered entity or third-party provider must implement everything included in 23 NYCRR Part 500 before opening for business.
The following items will be required annually to maintain compliance:
- A cyber-security report from the CISO to the board of directors
- A certification letter to the NYDFS
- A risk assessment and penetration test
This is where it gets particularly scary. Currently, the regulations don’t provide any detail on how penalties and fines will be calculated. Public comments requested that this information be added, but NYDFS responded that existing language was “sufficient.” In a worst-case scenario, that would mean the sky’s the limit.
Some experts believe that NYDFS will calculate fines based on the existing New York Banking Law, which uses the following benchmarks:
- $2,500 per day during which a violation continues
- $15,000 per day in the event of any reckless or unsound practice or pattern of misconduct
- $75,000 per day in the event of a knowing and willful violation
With those numbers, putting off implementation (knowingly and willfully) for just one week could wipe half a million dollars off your asset sheet.
An entire year of our CapSecure program costs just over 1% of that figure!
Not even a little bit. Like other IT security regulations, many of the requirements within 23 NYCRR Part 500 do not outline exactly how to meet them, just that covered entities must do so. If a covered entity follows all the rules and is breached, it will still be required to pay for IT forensics, victim notification, and legal representation -- not including reputational damage.
This is just one more reason to enlist a diverse team of trained professionals. Our security services go above and beyond the requirements of the NYDFS regulations and represent the only way to be certain of your safety.
For years, we’ve helped companies like Seneca Financial, Federated Clover, and LVW Advisors deal with cyber-security threats. Although they are true Rochester Rockstars, they can’t do it all. Capstone IT is leading the charge for simpler, more affordable IT security for financial institutions in western New York -- call today to learn what we can do for you.