New York businesses involved in the financial services sector are facing a Nov. 1 deadline to comply with cybersecurity regulations.
Failure to comply could be costly. In August, the New York State Department of Financial Services reached agreement with Healthplex, Inc., a licensed insurance agent and independent adjuster, to pay a $2 million civil penalty after a hacker executed a phishing attack on an employee’s email and gained access to the private health data and sensitive nonpublic information of tens of thousands of Healthplex consumers.
Eight years in the making, the final phase of New York’s groundbreaking Cybersecurity Regulation Part 500 takes effect Nov. 1. New York was the first state in the nation to mandate cybersecurity standards across the financial services sector when the state’s Department of Financial Services instituted Cybersecurity Regulation in 2017.
The regulation required licensed financial institutions to implement comprehensive cybersecurity programs, including written security plans, risk assessments, regular testing for vulnerabilities, management of data accessible to third-party vendors, multi-factor authentication for certain access, incident response plan and annual reports to the state from the organization’s chief information security officer.
Covered entities must certify compliance annually. Regulated entities include partnerships, corporations, branches, agencies, and associations operating under a license, registration, charter, certificate, permit, accreditation, or similar authorization under the state’s banking law, insurance law or financial services law.
The regulation was last amended in November of 2023 to protect New York businesses and consumers from cyber threats such as ransomware, extortion and third-party breaches. The state has phased in the amended requirements over the past two years and the last took effect Nov. 1. Those changes include:
- Enhanced Multi-Factor Authentication (MFA) Requirements (Section 500.12): Covered entities from the small business, standard and class A categories must comply with enhanced MFA requirements. While SMS prompts qualify, these are more vulnerable and DFS, as well as most security experts, prefer an application-based authentication which uses a number matching challenge or a hardware token.
- Covered entities qualifying for a limited exemption pursuant to Section 500.19(a) – small businesses – must still use MFA for remote access to their information systems, remote access to third-party applications and all privileged accounts, other than service accounts that prohibit interactive login.
- All other covered entities must utilize MFA for any individual accessing any information system of a Covered Entity.
- Asset Management (Section 500.13(a)): All covered entities must implement written policies and procedures to maintain a complete, accurate and documented asset inventory of their information systems that includes, among other things, tracking ownership and location. This requirement is, for example, the first security control in the CIS framework and is generally seen as a first step to a managed security program. Unless the organization knows all the systems being used, it is impossible to ensure all the controls required by law are under the organization’s program.
The state also wants automated scans, manual tests, annual reviews and detailed, auditable documentation that proves ongoing compliance and commitment to security and uncovering vulnerabilities. If your business is not there yet, it is time to move.
The state offers a comprehensive set of resources to understand the regulations and training to achieve compliance at its Cybersecurity Resource Center, located on the Department of Financial Services website. These are helpful both for the content they contain and, perhaps more importantly, to understand the objectives of DFS to demonstrate compliance with the regulation. Businesses associated with the financial services sector should visit the site to ensure they understand their obligations and take immediate steps with policies and technology to comply.
Covered entities may be fully or partially exempted from the requirements. To qualify for a full exemption, a covered entity:
- must be affiliated with another DFS-regulated business and all aspects of its business must be fully covered by the cybersecurity program of the other business.
- must be an inactive individual insurance broker who does not maintain, control or use information systems and does not have any nonpublic information; has not solicited, negotiated or sold any policy or contract for at least one year; and does not otherwise qualify as a covered entity (for example, does not hold another type of license).
- must be a charitable annuity society; a risk retention group not chartered in New York; an individual insurance agent or mortgage loan originator placed in inactive status; or an accredited reinsurer, certified reinsurer, or recognized reciprocal jurisdiction reinsurer.
To qualify for a limited exemption, a covered entity:
- must have fewer than 20 employees and be independent contractors
- must have less than $7.5 million in gross annual revenue in each of the last three fiscal years from all its business operations, wherever located, and its affiliates’ New York business operations.
- must have less than $15 million in year-end total assets, including assets of all affiliates.
More information on these exemptions, and how to apply for them, is available on the DFS website.
Cybersecurity Regulation Part 500 is complex and imposes stiff penalties — fines of $2,500 per day for each day of noncompliance that increases to $15,000 per day if the DFS superintendent determines the noncompliance is a pattern. It is imperative that businesses ensure their systems are in compliance. Teaming with experienced attorneys and cybersecurity professionals is a step in the right direction.
Alan M. Winchester is the leader of Harris Beach Murtha’s Cybersecurity Protection and Response Practice Group.
