Mortgage Software Solutions Blog

Guide to New York’s Cybersecurity Regulations

Written by Hugo Gonzalez | Mon, Jan 29, 2018

The deadline is less than a month away.

As February 15, 2018 draws near, financial institutions in the state of New York are scrambling to comply with cybersecurity regulations that are new to the industry and unprecedented in the state.

Released in early March of last year, Part 500 of Title 23 or Cybersecurity Requirements for Financial Services Companies (2017) is a 14-page document detailing how finance companies will be legally required to protect nonpublic information in their computer systems.

These regulations were implemented by the Department of Financial Services (DFS) citing security risks and the “ever-growing threat” of foreign nation-states, terrorist organizations and cybercriminals. The DFS Superintendent’s office will be overseeing compliance with the new laws aimed at safeguarding sensitive information that banks, credit unions, and mortgage companies keep on file.

As the zero hour approaches, here is a quick guide to the new DFS directives.

Cybersecurity Programs for All 

The main requirement is that all financial institutions under the regulation of the DFS are now required to create and implement a written cybersecurity program. 

With computer-based leaks making national headlines, New York’s banks will be held to a high standard.

The main issue of information leaks is “nonpublic information” or data gathered about customers and clients that is not meant for public knowledge. This includes business information, identifying information, account numbers, and even medical information.

A “cybersecurity event” is any action or attempt of unauthorized access to this information.

Security Measures

The new DFS regulations specifically call for annual penetration testing and bi-annual vulnerability checks of all information systems.

This includes extensive recordkeeping of system activity. Each financial institution must keep transaction records for a period of 5 years and an audit trail that records at least 3 years of activity.

The DFS further urges permissions control for all software applications.

Policy Requirements

This new cybersecurity program that every institution must implement is subject to oversight. The regulations require that all policies be recorded and approved by a senior officer or the company’s board of directors.

The guidelines state that any policies laid down must address an extensive list of 14 distinct topics ranging from data governance to disaster recovery planning.

Beyond stating the goals of these new measures, the law requires that companies designate a Chief Information Security Officer (CISO) for in-house enforcement.

This individual is required to report in writing annually about security to the company’s board and will be held responsible in the event of a breach at the agency.

Risk Assessment

Beyond coming up with a plan, the new regulations require action.

Financial institutions must run a complete risk assessment of their company. The assessment must be documented and it should include an evaluation of the adequacy of the existing access controls.

By law, this assessment must be carried out by qualified cybersecurity personnel. To avoid passing the buck, companies who hire out for the job must still exercise due diligence in evaluating the adequacy of the third party’s own security practices.

The law makes it clear that the financial institution itself will be held responsible for the integrity of their new program.

Other Regulations

There is a host of supplementary details in the document that outline currently-held security precautions across the information systems industry.

For example, multi-factor authentication for network access, a time limit on data retention, and regular cybersecurity awareness training for all personnel are all part of the regulation.

Encryption guidelines are spelled out and become subject to annual review by the CISO.

Notifications

The final issue addressed by the new regulation involves communication with DFS. The superintendent’s office places a strict time cap on security breach announcements. A company has no more than 72 hours to report any event that has a “reasonable likelihood of materially harming the normal operations” of the company. 

Serious events like this have always fallen under reporting laws to local supervisory bodies. Under the new law, these events will be taken up the chain of command to the Superintendent’s office immediately.  

As of last year, New York is taking cybersecurity seriously. With such strict laws, it’s understandable that financial institutions have been slow to enact changes. After the year-long cushion, the new regulations are set to be enforced and financial institutions will be held responsible if they don’t comply.

14 pages of detailed requirements are on the books. As the transition year comes to an end, banks, mortgage companies, and credit unions are under the gun to make it happen.

Are you a CIO?

Has your institution taken the proper steps for system security?

For comprehensive compliance guidance and other cybersecurity solutions and, contact us.