NY cybersecurity regulation consent order shows need for adequate compliance program

Authored by: Dennis Schaefer and Russ Sommers

In recent news, a Consent Order (CO) was entered into between the New York Department of Financial Services (the Department) and management of National Securities Corporation (NSC) pertaining to noncompliance with cybersecurity regulation 23 NYCRR 500. As mentioned below in greater detail, the Department determined that NSC did not adequately deploy multifactor authentication (MFA), failed to report two (2) of four (4) cyber breaches, and falsely self-certified compliance with the regulation. As a result of the Department’s findings, NSC has been assessed a $3 million penalty payable to the Department and is required to report back to the Department on remediation efforts as defined within the CO.

NSC was found to be noncompliant with three sections of the regulation as follows:

1. Section 500.12(b) requires the use of multifactor authentication by any individual accessing a covered entity’s internal networks from an external network unless the covered entity’s Chief Information Security Officer (CISO) has approved in writing the use of reasonably equivalent or more secure access controls.
2. Section 500.17(a) requires covered entities to notify the superintendent as promptly as possible but in no event later than 72 hours from a determination that a cybersecurity event has occurred that is either of the following:
   a. Cybersecurity events impacting the covered entity of which notice is required to be provided to any government body, self-regulatory agency or any other supervisory body; or
   b. Cybersecurity events that have a reasonable likelihood of materially harming any material part of the normal operation(s) of the covered entity.
3. Section 500.17(b) requires covered entities to provide an annual written statement, certifying compliance with the cybersecurity regulation. In order to certify compliance with the regulation, covered entities must be in compliance with all parts of the regulation.

It is important to have a well-defined approach to addressing compliance with the NY DFS Cybersecurity Law and ensuring compliance is maintained over time. The Department has assembled a list of Frequently Asked Questions (FAQs) for covered entities to reference, as well. There are action steps covered entities can take today to set your organization up for success:

1. Perform a self-assessment to evaluate how your organization not only complies with each section of the regulation, but what documentation exists to support that compliance, as well as what documentation supports current initiatives and planned improvements to the program.
2. Develop an “evidence locker” containing key artifacts evidencing compliance with each section of the regulation. An effective way to manage this is by creating a checklist of required documentation to be used as a living document to chronicle completion of each key activity, target completion date and date of CISO review.
3. Engage internal audit (or an external provider) to perform a compliance assessment of your organizations cybersecurity program against the Cybersecurity Law.

Regardless of how your organization chooses to ensure compliance with the NY DFS Cybersecurity Law, remember that while it is important to achieve and maintain compliance with the law, it is equally important to be able to prove compliance with adequate documentation.

For more information on this topic, head to our website.