23 NYCRR 500 Regulation

Four years ago, the New York Department of Financial Services created guidelines regarding the Cyber Security of Financial Services Companies, which went into effect on March 1st, 2017. The need for a cybersecurity expert in this field arose after the DFS had monitored the threat of cyber-attacks and recognized that vulnerabilities in cybersecurity can lead to substantial financial loss- to both DFS regulated entities and the citizens who use their services and provide sensitive information. Because of this, they had recognized the financial service industry as one of high risk to cyber-attacks and therefore were required regulation to protect from a potential financial disaster.

There are 23 parts described in 23 NYCRR 500 for financial service companies to follow to obtain certification of cybersecurity from the DFS. Some topics include describing the Cybersecurity Program itself and policy, appointing a Chief Information Security Officer (CISO) and other personnel, penetration testing into the program, access privileges, guidelines for written procedures to respond to cybersecurity events, multifactor authentication, procedures for reporting events, and more. The guidelines are not meant to be overly prescriptive, and needs are determined based on the risk assessment done on the service. This allows cybersecurity programs to adapt to new methods of cyber-attacks, implement new ways to better protect information, and ultimately better protect against a major cybersecurity crisis. Services can also opt to use affiliates and third-party cybersecurity programs to better comply with the regulation.

Even though these regulations are in place, cyber-attacks can and will still happen. On March 3rd, 2021 the first enforcement of 23 NYCRR 500 by the DFS came in the form of a penalty of $1.5 million. The settlement came about due to an unreported email compromise by an employee at Residential Mortgage Services Inc. (RMS) in March 2019. It was uncovered in a routine examination, one year later in March 2020. The email was compromised when an intruder gained access to the account by way of a phishing attack, which the account itself contained sensitive data from mortgage loan associates including social security numbers and bank account numbers. The company did have 2-factor authentications in place, so the employee did receive a notification that someone was trying to gain access to their email account. However, though she did not make the login attempt herself, she approved the login request, allowing the intruder access to the information. RMS then failed to conduct an appropriate investigation into the data breach, and thus, no notification was sent to consumers and the DFS about the breach. 23 NYCRR 500.17(a)(1) requires all breaches of security to be reported to the DFS within 72 hours, which RMS failed in doing so, as well as breaching 23 NYCRR 500.09 which covers a comprehensive cybersecurity risk assessment, resulting in the $1.5 million fine.

Another cyber-attack recently came in the form of a malware attack on information technology service company SolarWinds, launched on December 13th, 2020. This attack was global, in that customers of SolarWinds products received a software update installing the malware on many systems, including government-owned systems. Some notable customers include 425 of the US Fortune 500, the top 10 US telecommunications companies, the top 5 US accounting firms, all branches of the US Military, the Pentagon, the State Department, and hundreds of universities and colleges worldwide, as well as major cybersecurity company FireEye.

The malware allowed attackers to transfer files, execute files, profile the system, reboot the machine, and disable system services of infected systems. The attackers were believed to be based in Russia, by Russia’s “Cozy Bear” and though some important systems were infected with this malware, the hackers kept their profile low by using the malware as a sort of backdoor to steal credentials, then using it to gain legitimate remote access to the systems. They also used temporary file replacement techniques to remotely execute their tools without detection. Though not the first, this is an example of a software supply-chain attack, which takes advantage of the users’ trust in the parent company (especially with updates). These are usually the most difficult types of attacks to defend against because of how widespread they can become. In accordance with 23 NYCRR 500, companies under the DFS conducted risk assessments to determine if they were at risk for contracting the malware, and out of those entities afflicted by it, 94% of them removed the vulnerabilities within 3 days of the announcement from SolarWinds. This allowed the DFS to find that some companies were not applying patches as regularly as they needed to mitigate high-risk cyber exposure.

23 NYCRR 500 was a first in the national cybersecurity regulation that allowed other services to adopt a similar model, including the US Federal Trade Commission, multiple states, The National Association of Insurance Commissioners, and the Conference of State Bank Supervisors. Other legislation has been introduced, each at different stages in the legislation process, in all 50 states that relate directly to the protection of data and defense from cyber-attacks in the form of cybersecurity.

Related Links:

[1] https://www.lexology.com/library/detail.aspx?g=118caaa4-1da6-4a53-b021-0f6d0d2471f5

[2] https://www.jdsupra.com/legalnews/first-nydfs-cybersecurity-enforcement-6060095/

[3] https://www.dfs.ny.gov/reports_and_publications/press_releases/pr202104271 

[4] https://govt.westlaw.com/nycrr/Browse/Home/NewYork/NewYorkCodesRulesandRegulations?guid=I5be30d2007f811e79d43a037eefd0011&originationContext=documenttoc&transitionType=Default&contextData=(sc.Default)

[5] https://www.csoonline.com/article/3601508/solarwinds-supply-chain-attack-explained-why-organizations-were-not-prepared.html

[6] https://www.ncsl.org/research/telecommunications-and-information-technology/cybersecurity-legislation-2021.aspx