NYSDFS Part 500: Doing Your Part to Remain Prepared

By Cyber Risk Management
Group

In July 2020, the New York State Department of Financial Services (“NYSDFS”) announced that First American Title Insurance Company (a subsidiary of insurance company, First American Financial Corp) was their first ever cybersecurity enforcement action after the financial institution exposed hundreds of millions of documents containing confidential information, such as social security numbers, wire transaction receipts, drivers’ license images, bank account numbers, etc. stemming back from 2003.

The exposure originated from a document-management system which allowed anyone to view files without authentication or other security requirements and measures. NYSDFS actually noted six exceptions which First American had violated from the NYSDFS Part 500 cybersecurity regulations that were released in March 2017. In this particular case, the institution could potentially face a major penalty of up to $1,000 for each instance of exposed personal information.
 
In total, there is a set of 17 regulations within Part 500 (for additional information, refer to the complete list of regulations from the NYSDFS website), which include a plethora of requirements for banks and financial institutions, that require an adequate cybersecurity program, regular risk assessments, penetration testing and vulnerability assessments, access to customer information, etc. There are exemptions from these requirements, as noted below, but in the case with First American Financial, which is a leading provider of title insurance and settlement services with a revenue of $6.2 billion as of 2019, as well as many other financial institutions, exemptions from these requirements do not apply.
 
Exceptions from the Part 500 requirements include the following:

• Entities with fewer than 10 employees (including any independent contractors)
• Entities with less than $5,000,000 in gross annual revenue
• Entities with than $10,000,000 in year-end total assets

Part 500 Requirements and What Your Institution Can Do To Remain Prepared
 
Part 500 includes best practices to properly secure and implement an adequate cybersecurity program and protect customer information for any organization. However, if your bank or financial institution is not exempt from the regulations, it is especially important to continue to improve your organization’s overall cybersecurity posture through the inclusion of the following rules set forth by the NYSDFS in order to mitigate risk, avoid NYSDFS penalties, and provide a necessary level of security:

• Cybersecurity Policy: Throughout the past three years, banks and financial institutions have been improving their policies to better meet the requirements expected from NYSDFS. Sections and topics to enhance include asset inventory and device management, access controls and identity management, systems and network security/monitoring, customer data privacy, vendor and third-party service provider management, and risk assessment. Other areas include information security, data governance and classification, business continuity and disaster recovery planning and resources, systems and application development and quality assurance (if applicable) and incident response. Nonetheless, each section should be covered within an organization’s policy.

 

• Penetration Testing and Vulnerability Assessments: It is important to note that penetration testing and vulnerability assessments are critical to a financial institution’s network security. These assessments provide financial institutions insight into whether there are any vulnerabilities within their network that could potentially be exploited by hackers. The NYSDFS requires institutions to ensure that penetration testing is performed on an annual basis, and vulnerability assessments, including external and internal scans, are performed on a bi-annual schedule.

 

• Access Privileges: Financial institutions must carefully evaluate and monitor each employee who has administrative access and privilege to the network and core systems. This can be done via user access reviews performed by the IT department and department managers. The principle of least privilege is strongly recommended for organizations to follow and practice.

 

• Third Party Service Provider Security Policy: Financial institutions are required to implement this policy, which should include identification and risk assessment of third parties, minimum cybersecurity practices required by third parties, due diligence used for evaluation, periodic assessment, etc.

 

• Training and Monitoring: Training pertains not only to the financial institution’s employees, but also to high level management and the Board of Directors. Training should include cybersecurity awareness and be performed on an annual basis. Additionally, the ISO/CISO as well as the IT staff should participate in ongoing training throughout the year.

 

• Incident Response Plan: Financial Institutions must follow the set criteria within Part 500 for an adequate Incident Response Plan. Such criteria include internal processes responding to an event, goals of the plan, definition of responsibilities, communication procedures, remediation of any weaknesses, documentation and reporting procedures, and evaluation and revision of the plan. Additionally, organizations should test their Incident Response Plan on an annual basis, and include other departments in such testing, not only the IT department.

 
It’s common to think that what happened to First American Financial will never happen to your financial institution, but as the rate of institutions suffering from cyber-attacks continues to grow year after year, it is important to remain prepared to mitigate any possible risk of a cybersecurity breach. Let’s not forget about the accompanying negative publicity and government fines and penalties. In the future, there will likely be additional requirements pertaining to information security rolled out, so stay ahead of the game to prepare your institution and avoid becoming the next First American.