A New York special: NYDFS cybersecurity regulation (23 NYCRR 500)
23 NYCRR 500, also known as NYDFS Cybersecurity Regulation, is a law issued by the New York State Department of Financial Services (NYDFS) that mandates the enforcement of optimal data security standards to safeguard websites and apps. 23 NYCRR 500 requires companies to evaluate all security processes and implement plans to mitigate discovered weaknesses. The regulation applies to all New York based businesses that provide financial services, like banks and insurance firms.
This article will help shed some light on the evolving regulatory landscape in the United States. CCPA is not alone, as more and more states join in with new laws.
What is 23 NYCRR 500?
What is 23 NYCRR 500?
With most banks and financial companies now offering online services following the COVID-19 outburst, security and regulatory risks have grown exponentially. Financial services companies operating out of the state of New York have to enforce optimal security standards to protect their websites. They also bear sole responsibility for all leaks and breaches that result in data theft.
The old 23 NYCRR 500 regulation was introduced on March 1, 2017, but enforcement didn’t go smoothly. Just like with PCI DSS, financial, insurance, and banking organizations were not sure about the actual requirements. But this is no longer the case, as the NYDFS has left no stone unturned to make the new 23 NYCRR 500 crystal clear and transparent.
Here are the main 23 NYCRR 500 requirements:
- Provide adequate funding and resources for security purposes and employ a CISO or a dedicated CIO to monitor the ongoing implementation of latest data protection standards.
- Enforce strict measures to protect data privacy and be transparent with all Personal Identifiable Data (PII) and financial information that is being harvested and stored on the company servers.
- Adopt effective incident response plans that ensure data collection and transfer to the NYDFS within 72 hours in case of a data breach. This requires continuous monitoring and reporting capabilities.
- Plan and implement effective remediation plans in case of data breaches, as well as annual certificates to demonstrate compliance with any 23 NYCRR 500 updates or changes that may occur.
- Besides certificates, provide annual reports that include all cybersecurity events, risks faced, and mitigation thereof. This cannot be possible without automated audit creation.
What are the exceptions? If your company has less than 10 employees or is sub-10 million USD in year-end total assets, you are not bound to 23 NYCRR 500. The same applies to companies with less than 5 million USD in gross annual revenue for three years. Needless to say, even small companies are better off protecting their websites and all private data they handle on a daily basis.
How to Achieve 23 NYCRR 500 Compliance?
The new privacy regulation applies to state-chartered-banks, private bankers, mortgage companies, trust companies, licensed lenders, and insurance companies operating in New York. Even offshore banks and firms licensed to do business in New York now need to comply with 23 NYCRR 500 at all times. This requires a hands-on approach when it comes to cybersecurity.
Top practices that can help you achieve 23 NYCRR 500 compliance:
- Encrypt Both In-Transit and At-Rest Sensitive Data
23 NYCRR 500 regulation requires you to protect data, both in-transit and at-rest. Protecting in-transit data involved encrypting data that’s traveling from a device to the cloud or from one network to another in order to keep it safe. Once data in transit is safeguarded, a- rest data should also be taken care of. This includes other crucial aspects such as BYOD and database security.
- Hire a Chief Information Security Officer (CISO) and Build a Security Team
Besides being responsible for monitoring and analyzing immediate threats and identifying potential vulnerabilities and loopholes, the CISO should be responsible for all things security, including third-party application risk assessment and dealing with their security implications. Here are just a few of the CISOs additional responsibilities:
- Communicating issues, problems and findings to other stakeholders
- Creating a streamlined security plan in sync with the DBA and IT teams
- Planning, purchasing, and building security hardware and software that will ensure best security and compliance standards
- Implementing PoLP (Principle of Least Privilege)
- Monitoring results and findings for fast(er) response times to incidents
Besides the mandatory CISO requirement, your company should ideally build a capable IT security team to address the various cybersecurity issues, apply new policies, and enforce 23 NYCRR 500 (and other related standards) at all times. They should also be involved in security training and onboarding of developers and other stakeholders to raise awareness across all departments.
- Develop a Cybersecurity Program or Policy
Establishing a robust cybersecurity program will help you deal with threats in time and avoid facing them again in the future. How do you set a policy?
- Firstly, a cybersecurity policy is a living document that should be extended and updated based on the company’s experience and technology. New methods of attacks are being created every day, and your tools will soon become outdated unless you are not proactive. All related stakeholders should have access to this “master-document.”
- Secondly, before setting any standards or reaching any conclusions, you need to make sure you understand which assets need protection (for example, third-parties). Without a thorough audit, you are at risk of neglecting important issues. Check the health of both hardware and software to determine the weak spots that need to be handled first.
- Thirdly, evaluate security maturity levels within your organization. For example, a low level of maturity would mean that almost none of your employees are familiar with how to deal with cyberattacks. They are not on the same page. Most of them know nothing about your company’s latest security policies and they don’t even think about them.
- Implement Proper Reporting Procedures and Audits
No cybersecurity operation is perfect and your organization needs to acknowledge this fact by coming up with proper reporting procedures.
Experiencing a data breach is not the worst thing that can happen to you. Not detecting the issue and not reporting it to the NYDFS can lead to massive fines, not to mention brand damage. Also, CISOs are now required to produce an annual report that demonstrates website security implementation – including what risks your business is facing and how they are being eliminated.
- Third-Party Application Security
Since the CISO is directly responsible for all third-party applications running on the company’s website, he also needs to be aware of the dependencies and security blind spots these external applications are creating on an ongoing basis. But unfortunately, this is often not the case. Third-party application security is becoming the weakest link in cybersecurity ops today.
Risk assessment tools for third-parties are good to have, but they are no longer satisfactory stand-alone solutions, as you’ll learn in the next section.
23 NYCRR 500 and Third Party App Security
It’s no secret that cybercrime has evolved. By inserting corrupt scripts, hackers use third-party payment (just to name one) services to gain unauthorized access to sensitive data. Mega-companies like British Airways and Ticketmaster have been making the news due to customer data exposure and violation of the GDPR laws. What are you doing to avoid becoming another statistic?
The discrepancy with security controls starts with the implementation and installation of functionality-enhancing third-party applications.
Third-party app examples are many. Google Analytics helps gain insights into traffic and web performance and tag managers can overlook any security control by injecting code directly to the webpage. You also have marketing automation solutions like Marketo and HubSpot, with other seemingly harmless social media integration tools that can also be exploited by hackers.
Unfortunately, security blind spots sprout up because third-party codes operate on the client-side, whereas security controls take care of the server-side. For example, web-skimming is a cyberattack that takes advantage of these blind spots to infiltrate and bypass traditional security tools that simply can’t deal with the dynamic nature of third-party applications.
With financial and banking websites running dozens of third-party services on average – how can you mitigate the data security risks? The answer lies in increasing visibility and detecting hidden vulnerabilities and dependencies. Only a comprehensive monitoring solution will help you gain a 360 view, after which you can perform analysis and assessments to detect new threats.
Take Control of your Third Parties Now
Protecting your customers’ personal and financial information is no longer an option. The NYDFS is no longer holding back with companies violating the latest regulations. Financial penalties can reach upto 1000 USD per violation, which basically means that every harmed user will cost you dearly. Assuming 10,000 customer records were stolen, you may be looking at a 10 million USD fine.
23 NYCRR 500 enforcement is for real. First American Title Insurance Company (First American), a leading US title insurance provider, made headlines in 2020 after facing enforcement action. The reason – not preventing the exposure of over 850 million documents containing Non-Public Information (NPI) over the years. The legal proceedings are expected to continue in 2021 and beyond.
Third-party application security is no longer exclusive to Europe (GDPR) and California (CCPA). You need to take control of your third and fourth-parties, while being fully informed about the dependencies they are creating within your ecosystem. 23 NYCRR 500 is here to stay and you now need to elevate your third-party applications governance to steer clear of legal trouble.