The New York State Department of Financial Services (DFS) has been closely monitoring the ever-growing threat posed to information and financial systems by nation-states, terrorist organizations and independent criminal actors. Recently, cybercriminals have sought to exploit technological vulnerabilities to gain access to sensitive electronic data. Cybercriminals can cause significant financial losses for DFS regulated entities as well as for New York Consumers whose private information may be revealed and/or stolen for illicit purposes. The financial services industry is a significant target of cybersecurity threats. The new requirements are forcing companies in the financial industry to look at improving current cybersecurity strategies.
The biggest change to the already strict regulations is the new requirement of multi-factor authentication; which can be viewed in depth under item 500.12. Access Business Technologies (ABT) has been offering multi-factor authentication (MFA) and cybersecurity services to the mortgage industry for over eighteen years. MFA is designed to promote the protection of customer information as well as the information technology systems of regulated entities. Under the new regulations each company will be required to assess its specific risk profile and design a program that addresses its risks in a robust fashion. ABT offers the compliant technology that financial businesses will need; effective March 1,2018.
Below are the some highlighted items from the new requirements:
- 500.04 (b) CISO Begins Reporting to Board of Directors. The Chief Information Security Officer is required to report, in writing, to the Board of Directors, or equivalent governing body, at least once a year. This report includes the status and effectiveness of the Cybersecurity Program as well as any material Cybersecurity Risks.
- 500.05 Begin Annual Penetration Testing and Vulnerability Assessments. In accordance with your Cybersecurity Risk Assessment, institutions must perform continuous monitoring, annual penetration tests and bi-annual vulnerability assessments to assess the effectiveness of your Cybersecurity Program.
- 500.09 Commencement of Period Risk Assessments. Periodic Risk assessments should be conducted to continually address changes to your Information Systems, business operations and nonpublic information. This activity should be carried out in accordance with your written Risk Assessment policies and procedures.
- 500.12 Implement Multi-Factor Authentication. Each institution is required to use effective Cybersecurity Controls, which may include Multi-Factor Authentication or Risk-based Authentication. This helps protect against unauthorized access to Nonpublic Information and Information Systems. This is required for any individual accessing the Institution's internal network from an external network.
- 500.14(b) Provide Regular Cybersecurity Awareness and Training for all Personnel. Provide regular Cybersecurity Awareness Training for all personnel that is updated to reflect risks identified by the Risk Assessment.
Key Dates Under New York's Cybersecurity Regulation
- March 1, 2017 - 23 NYCRR Part 500 becomes effective.
- August 28, 2017 - 180 day transitional period ends. Covered Entities are required to be in compliance with requirements of 23 NYCRR Part 500 unless otherwise specified.
- February 15, 2018 - Covered Entities are required to submit the first certification under 23 NYCRR 500.17(b) on or prior to this date.
- March 1, 2018 - One year transitional period ends. Covered Entities are required to be in compliance with the requirements of sections 500.04(b), 500.05, 500.09, 500.12 and 500.14(b) of 23 NYCRR Part 500.
- September 3, 2018 - Eighteen month transitional period ends. Covered Entities are required to be in compliance with the requirements of sections 500.06, 500.08, 500.13, 500.14(a) and 500.15 of 23 NYCRR Part 500.
- March 1, 2019 - Two year transitional period ends. Covered Entities are required to be in compliance with the requirements of 23 NYCRR 500.11.