NY DFS Cybersecurity Regulation Enforcement on the Horizon
As of March 1, 2019, all Covered Entities were required to have fully implemented New York State’s Department of Financial Services’ (DFS) Cybersecurity Regulation, including the final piece of the puzzle: third-party risk management. Specifically, Covered Entities must now have policies and procedures designed to ensure the security of Information Systems and Nonpublic Information that are accessible to, or held by, Third Party Service Providers, such as vendors, consultants, accountants, and cloud service providers.
Now that DFS’ Cybersecurity Regulation is fully implemented, enforcement is next up. Recent announcements by DFS – unveiling two new divisions with broad enforcement authority over cybersecurity – certainly suggest that time is nigh.
On April 29, 2019, DFS launched its new Consumer Protection and Financial Enforcement division. CPFE is tasked with broad responsibility, including for developing investigative leads and intelligence in the banking, insurance, and financial services arenas, with a particular focus on cybersecurity events.
In addition, on May 22, 2019, the Department launched a new Cybersecurity division, billed as the “first of its kind at a banking or insurance regulator” which will focus on “protecting consumers and industries from cyber threats.” According to DFS’ announcement, the role of the new Cybersecurity division will be to “enforce the Department’s cybersecurity regulations, advise on cybersecurity examinations, issue guidance on DFS’ cybersecurity regulations, and conduct cyber-related investigations in coordination with the Consumer Protection and Enforcement Division.”
Under the DFS Cybersecurity Regulation, Covered Entities include organizations operating under license, registration, charter, certificate, permit, accreditation or similar authorization, including, for example:
- Under the Banking Law: state-chartered banks, branches/offices of foreign banks, trust companies and credit unions, certain investment companies, safe deposit companies, and mortgage brokers, title insurers, mortgage loan originators and servicers;
- Under the Insurance Law: insurance companies, bail bond agents, and even HMOs and continuing care retirement communities (CCRCs); and
- Under the Financial Services Law: budget planners, check cashers, licensed lenders, money transmitters, sales finances companies, and virtual currency businesses.
Given the vast array of Covered Entities and the lengthy list of requirements, many companies remain non-compliant. In particular, adoption of technical safeguards, such as encryption, multi-factor authentication, application security, penetration testing, access privileges, and audit trails, as well as human safeguards, such as training and monitoring for all authorized users, are lacking in many organizations.
Non-compliant entities need to be aware that the New York Banking Law authorizes DFS to impose penalties up to:
- $2,500 per day during which a violation continues
- $15,000 per day in the event of any reckless or unsound practice or pattern of misconduct
- $75,000 per day in the event of a knowing and willful violation.
It is expected that the new Cybersecurity division soon will be launching cybersecurity examinations of Covered Entities and fines, undoubtedly, will follow.
Is your organization compliant? Is your organization ready, now that enforcement is here?