The New York Department of Financial Services (NYDFS) recently announced its first enforcement action under its cybersecurity regulations (23 NYCRR 500), against large title insurance provider First American Title Insurance. The enforcement action cited the company’s failure to comply with numerous aspects of the regulations, such as training, data classification, restricting access, and encryption of Non-Public Information (NPI).
NYCRR 500 requires covered entities – which include banks, insurance companies, and other financial services institutions regulated by NYDFS – to establish and maintain a risk-based cybersecurity program and ensure compliance with rigorous cybersecurity requirements. The regulations also stipulate that senior management must take responsibility for the organization’s cybersecurity program and file an annual certification that confirms compliance.
The first set of deadlines for the initial certifications concluded on June 1, 2020 (postponed from Feb. 15, 2020, due to the COVID-19 pandemic). However, companies must be proactive in remaining compliant with the regulations.
To help you with the continual cycle of compliance required by NYDFS, ask yourself the following key questions:
- Is our risk register reviewed and updated?
- If you have deployed new applications or services that access Non-Public Information (NPI):
- Have we confirmed that NPI is encrypted both at rest and in transit?
- Have we confirmed that user access to the NPI is limited and that two-factor authentication is implemented for remote access?
- Have we provided cybersecurity awareness training to all new staff who have access to NPI? Have we refreshed the training of existing staff?
- Have we refreshed the due diligence of vendors who process, access, or store NPI on the company’s behalf? Have we included new vendors in the due diligence process?
CohnReznick understands the business of financial services, the need to safeguard valuable data assets, and today’s sophisticated cybersecurity threats. We also have deep experience with the risk-based technologies, processes, and people skills needed to develop and implement enterprise cybersecurity programs.
If you need help assessing your organization’s readiness for continuing compliance with NYDFS 23 NYCRR 500, we can help you in the following areas:
CISO and board reporting
- Assess cybersecurity policies and procedures
- Review your annual report on your cybersecurity program, material risks, and cybersecurity incidents
Penetration testing and vulnerability assessment
- Assess external penetration testing and vulnerability assessment policies
- Review policies and testing reports of external hosting providers
- Evaluate the scope of and test plans for penetration testing
Encryption of Non-Public Information (NPI)
- Interview company subject matter experts (SMEs) to understand encryption policies for data in transit and at rest
- Review data classification standards
Multifactor authentication (MFA)
- Evaluate current MFA deployment
- Review access management policies
- Appraise application risk rating methodology
- Determine if MFA is enabled on high-risk applications
- Interview company stakeholders to understand current logging and monitoring processes
- Review data classification and retention policies for NPI
- Review logs of systems that handle financial transactions
- Evaluate the organization’s secure data disposal policy
- Determine that the policy is operational and effective
- Review the company’s Software Development Life Cycle (SDLC) to evaluate code review, segregation of duties, and separation of development, testing, quality assurance (QA), and production environments
- Review any related policies and procedures per OWASP’s Application Security Verification Standard
- Review change management tickets
- Assess active directory (AD) configurations for enforcement of segregation of duty
- Evaluate access management processes and procedures
- Review access management system logs
- Assess data inventory classification to determine if sensitive data are encrypted at rest and in transit
Cybersecurity awareness and training
- Review security training policy and material
- Review the training log
Third-party risk assessment
- Review vendor classification
- Design the vendor due diligence process
- Perform vendor due diligence
InsightSEC proposes new rules on public company cybersecurity incident reporting, risk management disclosuresBhavesh VadhaniPublic companies could face a tight new timeline for disclosing material incidents, plus mandates to detail how they manage cyber risk. Read more.
InsightNew law requires ‘critical infrastructure’ organizations to report cybersecurity incidents, ransomware paymentsBhavesh Vadhani, Daryouche Behboudi, Deborah NitkaThe Cyber Incident Reporting for Critical Infrastructure Act requires certain entities to report attacks within 72 hours, ransomware payments within 24.
InsightFuture of cannabis – Cannabis Quarterly insights, Q1 2022Read our team’s perspectives on taxation, data strategy, and data privacy (including California’s CPRA) in CohnReznick’s CannaQuarterly newsletter.
InsightSEC proposes cybersecurity rules, incident disclosure for investment funds and advisorsIn addition to strengthening threat management, information protection, and other key areas, the SEC aims to boost board oversight. Read more.