With the March 1, 2019 deadline looming for complying with NY’s Cybersecurity regulation, the NY DFS must be licking its chops at the prospect of imposing fines. Actually, I’m sure they really hope that all covered entities are up to snuff and have sent in their signed certifications or exemptions. “Signed certifications or exemptions?” you ask. Yes! You know, Appendix A and Appendix B of the 14-page regulation 23 NYCRR 500? Due on February 15, 2019?…Yeah, those.
The majority of those controls are already quite familiar to those of us in financial services, having been subject to them through FFIEC Guidance in general, Appendix J issued on February 5, 2015 as well as GLBA 501(b) requirements. NY DFS wants to be sure there’s a focus on cybersecurity:
- Identify our 3rd parties
- Risk assess them (inherent risk)
- We need to ensure that the 3rd party has information security policy in place with specifics regarding cybersecurity
- We must conduct due diligence (residual risk)
- Monitor the 3rd parties on an ongoing basis (SLA’s & KPI’s)
- Periodically review them (residual risk)
- Ensure that data is encrypted
- Protect data in transit and at rest
Recognizing the exponential increase in cyber crime along with the huge financial and personal impact it has directly and indirectly on all of us, the State of NY Department of Financial Services passed the Cybersecurity Requirements regulation that goes into effect on March 1, 2019. Passed four years ago, the regulation is composed 0f four phases with implementation deadlines of March 1, 2017, March 1, 2018, September 1, 2018 and March 1, 2019. The final phase includes information and cybersecurity issues pertaining to third parties. To give you an idea of how important it is to the NY DFS, “Third Party Service Provider” is mentioned 21 times (yes, I counted) in those 14 pages. Actually 12 pages since the last two are the Certification and Exemption forms. Pretty significant if you ask me.
If you think the NY DFS has done this because they have nothing else to do, guess again. Look at the penalties and fines they’ve imposed for AML violations over the past couple of years; Deutsche Bank: $425M, Habib Bank: $630M, Agricultural Bank of China $215M, Societe General $430M, Mashreq Bank: $40M, to name a few. There is no published framework for potential fines for violations of 23 NYRRC 500 that I’ve been able to find in writing anywhere. Given that covered entities have had two years to get their houses in order, you can bet your bottom dollar that penalties and fines for non-compliance or inadequate implementation of controls or implementation of inadequate controls will be severe. After all, you only have one chance to make a first impression and I’m sure they want everyone to take them seriously.
If you still want to scramble to get those controls in place, here are the expectations regarding third party service providers as taken from 23 NYRRC 500, subsection 11 Third Party Service Provider Security Policy (500.11). We have a great set of questions in our 3rd Party Toolbox automated vendor management solution that will help you demonstrate that you address the 3rd Party Service Provider controls where appropriate in order to meet NY DFS requirements:
(a) Third Party Service Provider Policy. Each Covered Entity shall implement written policies and procedures designed to ensure the security of Information Systems and Nonpublic Information that are accessible 7 to, or held by, Third Party Service Providers. Such policies and procedures shall be based on the Risk Assessment of the Covered Entity and shall address to the extent applicable:
(1) the identification and risk assessment of Third Party Service Providers;
(2) minimum cybersecurity practices required to be met by such Third Party Service Providers in order for them to do business with the Covered Entity;
(3) due diligence processes used to evaluate the adequacy of cybersecurity practices of such Third Party Service Providers; and
(4) periodic assessment of such Third Party Service Providers based on the risk they present and the continued adequacy of their cybersecurity practices.
(b) Such policies and procedures shall include relevant guidelines for due diligence and/or contractual protections relating to Third Party Service Providers including to the extent applicable guidelines addressing:
(1) the Third Party Service Provider’s policies and procedures for access controls, including its use of Multi-Factor Authentication as required by section 500.12 of this Part, to limit access to relevant Information Systems and Nonpublic Information;
(2) the Third Party Service Provider’s policies and procedures for use of encryption as required by section 500.15 of this Part to protect Nonpublic Information in transit and at rest;
(3) notice to be provided to the Covered Entity in the event of a Cybersecurity Event directly impacting the Covered Entity’s Information Systems or the Covered Entity’s Nonpublic Information being held by the Third Party Service Provider; and
(4) representations and warranties addressing the Third Party Service Provider’s cybersecurity policies and procedures that relate to the security of the Covered Entity’s Information Systems or Nonpublic Information.
(c) Limited Exception. An agent, employee, representative or designee of a Covered Entity who is itself a Covered Entity need not develop its own Third Party Information Security Policy pursuant to this section if the agent, employee, representative or designee follows the policy of the Covered Entity that is required to comply with this Part.
If the regulation applies to you then be sure that all of your paperwork is filed and your 3rd party risk management program meets the 23 NYCRR 500 regulatory requirements. You still have time!