NYS DFS 500: Plan for stronger cyber security compliance
The New York State Department of Financial Services (NYS DFS) cybersecurity regulation enacted in 2017 has resulted in numerous enforcement actions and monetary penalties averaging several million dollars. Planned amendments to the regulation will present financial intuitions operating in New York with even greater challenges in maintaining their compliance.
Although NYS DFS has not communicated a target date for the amendment going into effect, the window for public comments on the second amendment closed in January 2023, so enactment may well be expected at any time*. In anticipation of these changes, WithSecure is pleased to offer some thoughts and insights on the NYS DFS cybersecurity regulation for covered entities who are working toward ensuring their compliance with the new requirements.
The NYS DFS is a regulatory agency that oversees financial institutions operating in New York. It is responsible for ensuring the safety and soundness of financial institutions, protecting consumers, and promoting the growth of the NY financial services sector. NYS DFS Covered Entities include banks, insurance companies, mortgage lenders and other financial institutions.
In March 2017, NYS DFS promulgated a Cybersecurity Regulation (23 NYCRR Part 500). The intent was to ensure covered entities establish and maintain strong cybersecurity practices to protect consumers and the stability of the financial system from the increasing pace of sophistication of cybercriminals targeting the finance industry. At a high level, the regulation required Covered Entities to perform risk assessments, designate a qualified CISO to implement and enforce a cybersecurity program and policies, and maintain effective cybersecurity functions such as identity & access management, third party service provider oversight and incident response. The regulation also requires covered entities to notify NYS DFS of cybersecurity incidents within 72 hours of occurrence and to submit an annual certification of their compliance with the regulation.
As of June 2023, at least 12 entities had been impacted by NYS DFS enforcement actions which included monetary penalties for violating the cybersecurity regulation. All except one of these actions were taken after the entity suffered a security incident. Details of these actions are published on the NYS DFS website.
In September 2022, NYS DFS published a proposed second amendment to the cybersecurity regulation which will introduce heightened cybersecurity requirements. As with the initial regulation there was a public comment period which closed on January 9, 2023. The NYS DFS is now reviewing comments and is expected to finalize the amended regulation soon.
Enforcement actions are the legal measures that NYS DFS takes against Covered Entities that violate its regulations. Most enforcement actions are based on a consent order which is a legally binding document that outlines the terms and conditions agreed upon by NYS DFS and the Covered Entity to settle the matter without going to trial. A typical Consent Orders related to NYS DFS 500 describes the cybersecurity incident that led to the action, identifies specific sections of the regulation that were violated, prescribes remedial actions and includes a monetary penalty. Enforcement actions are public records published on the NYS DFS website and are usually accompanied by a press release.
WithSecure analyzed NYS DFS enforcement actions related to the Cybersecurity Regulation to gain insight into the types of security incidents that occurred and the sections of the regulation that were found to have been violated. Key findings from this analysis include:
- Of the 47 enforcement actions issued by NYS DFS since 2020, 11 (23%) were related to violations of the Cybersecurity Regulation
- The average Monetary Penalty was almost $3 million
- The reviewed actions identified 55 separate violations of specific sections of the Cybersecurity Regulation
- Seven actions (63%) included a violation for falsely or improperly certifying compliance with the Cybersecurity Regulation as evidenced by the entity suffering a security breach
- Seven actions prescribed specific remediation requirements
- One action was against an entity not subject to regulation by NYS DFS that had experienced a security breach which affected Covered Entities
- The reviewed actions described 15 separate security incidents, with three entities having suffered multiple events
- The security incidents included 13 instances of phishing attacks
- Eight of the security incidents resulted in exposure of non-public information
- Three incidents involved ransomware
- Three incident results in theft of funding with a combined total of $1,935,000
The Second Amendment
In September 2022, NYS DFS proposed a Second Amendment to the Cybersecurity Regulation which will add more stringent requirements. According to NYS DFS, the amendment is intended to address common cyber weaknesses that they have identified since 2017. In particular, the NYS DFS has observed that some regulated entities have failed to:
- Properly implement MFA for remote access by authorized users
- Remediate vulnerabilities in a timely manner
- Replace vulnerable end of life systems
- Secure ports that allow remote access
- Monitor for abnormal system activity
- Secure applications effectively
- Adapt policies and procedures to evolving cyber threats
Some noteworthy changes and themes include:
Top 10 List
WithSecure believes the following new requirements will be the most impactful to covered entities:
- Timely Vulnerability Remediation
- Automated Vulnerability Scans and Manual Reviews
- Asset Inventory
- Centralized SIEM Solution
- Endpoint Detection and Response Solution
- Privileged Access Management Solution
- BC/DR Plan Development, Maintenance and Testing
- Secure Backups and Backup/Restore Testing
- Annual Independent Audit of the Cybersecurity Program
- Risk Assessments performed by an External Expert every three years
Class A Companies
The amendment introduces the category ‘Class A companies’ which are larger institutions subject to heightened requirements. Class A companies are covered entities with at least $20M in annual revenue in New York -AND- over 2,000 employees -OR- at least $1B in annual revenue including outside of NY.
Additional requirements for Class A companies:
- Annual Independent Audit of Cybersecurity Program
- Password Policy
- Automated method to block weak passwords
- Privileged Access Management Solution
- Endpoint Detection and Response Solution
- Centralized SIEM Solution
- Risk Assessments performed by External Experts every three years
Several of the changes "raise the bar" for cybersecurity regulation, for example:
- Annual Certification of Compliance must be signed by the CEO
- CISO must have adequate authority and sufficient resources to manage cybersecurity risks
- Updated and in-depth requirements for Risk Assessments
- Entities must notify NYS DFS and provide justification if they make a ransomware payment
- The Board of Directors (BoD) is responsible for Risk Management Oversight
- The BoD must have cybersecurity knowledge and expertise
- Social engineering exercises e.g. phishing simulations
- BC/DR Plan development and maintenance
The amendment includes some new and interesting concepts, such as
- For annual certifications, entities may acknowledge non-compliance with the regulation if they also submit a remediation plan and timeline
- Entities will be considered in violation for "commission of a single prohibited act" including: failure prevent unauthorized access or failure to comply with any section of the regulation for more than 24 hours
- NYS DFS identified 15 factors they will take into account when assessing monetary penalties for violations
Security Incident Reporting
The amendment is more prescriptive on reporting security incidents to the NYS DFS:
- Report security incidents involving Unauthorized Privileged Access, Ransomware or Third Party Service Providers
- Provide ongoing updates on security incidents to NYS DFS and respond to any information requests
- Report ransomware payments and explain the rationale for having done so
The cybersecurity regulatory landscape continues to evolve and NYS DFS is at the forefront. Financial institutions operating in New York must meet the highest standards to avoid regulatory action and substantial penalties. The coming amendments to NYS DFS 500 are likely to pose challenges for even the most mature cybersecurity programs.
WithSecure is committed to supporting organizations in meeting regulatory and other cybersecurity challenges. Please see below a listing of services offerings which may be of value to organizations in managing compliance with the NYS DFS 500 amendment.
Thank you for your interest. Please contact us using the form below to request our eBook and to answer any questions on this article or the NYS DFS Cybersecurity Regulation.
* Update: On June 28, 2023, the NYS DFS published an assessment of the public comments they received for the period which ended January 9, 2023 and updates to the proposed Second Amendment based on these comments. NYS DFS also opened up a new public comment period which ends on August 14, 2023.
What to do next
WithSecure's Security & Risk Management Services
More often known as Governance, Risk and Compliance (GRC), can assist with risk modeling, assessments and workshops, incident readiness including business continuity and disaster recovery planning, supplier audits, maturity assessments, awareness trainings and information security strategy & governance.
If you also want tackle these requirements with ISO27001, or are already aiming to implement ISO27001 as a way of working, then WithSecure’s Security and Risk Management services can help you. WithSecure is experienced in both ISO 27001 implementation and ISO 27001 internal audit work. Contact us to find out more and to get our expert guidance.
Roundtable: Take a deep dive into the NYS DFS cyber security regulation
We’re pleased to invite you and your colleagues to an in-person roundtable on October 5th 2023 in our New York office.Register for the roundtable
NYS DFS Assessment of Public Comments
Assessment of Public Comments on the Proposed Amendment to the NYS DFS Cyber security Regulation: What’s Changed?Read the Blog
What the NYS DFS 500 amendment means for regulated entities
These revisions, known as the Second Amendment, will require changes in how covered entities operate if they are to remain compliant.Download summary
Countercept MDR can help you fulfil the requirements for ISO 27001 accreditation
This article explains how the WithSecure Countercept managed detection and response service can help to support and provide evidence of ISO27001 security controls.Read more
Webinar recording: Understanding the NYS DFS 500 regulation and the latest amendment.
Hear from our Solution & Risk Management Consultants about the amendments to the regulation and how to prepare.
Want to find out more?
Complete the form and we’ll send you a full report about how to meet the compliance requirements of the NYS DFS 500 and talk to you about how to prepare for the Second Amendment.