Articles
/
Are You a Small Business? Here’s What You Need to Know About 23 NYCRR Part 500 (NYDFS 500)

December 13, 2022

/

12 minutes

Are You a Small Business? Here’s What You Need to Know About 23 NYCRR Part 500 (NYDFS 500)

The NYDFS Cybersecurity Regulation requires New York insurance companies, banks, and other regulated financial services institutions to assess their cybersecurity risk profile. Read more here to understand the NYDFS regulation and what it means for you.

Are You a Small Business? Here’s What You Need to Know About 23 NYCRR Part 500 (NYDFS 500)

It's 5pm on a Friday and you're ready to unplug for the week. Just as your mouse moves towards the shutdown button, the most dreadful email comes through. You're being fined. Why? Because you failed to attest to setting up your cybersecurity program. Now, not only is your weekend ruined, but so are your budget and brand.

This is a reality that many businesses face when trying to keep up with evolving security requirements. Cybersecurity regulations can be challenging to understand and even more difficult to follow. Federal agencies and state governments are developing legislation to protect both users and businesses from cyberattacks. A prominent example currently catching impacted businesses off guard is the State of New York’s Financial Services Cybersecurity Regulation. It was created to address changing threats to consumer data and small and medium-sized businesses (SMBs). The regulation now requires companies of all sizes, including small businesses and sole proprietors, to attest to compliance by April 15, 2023.

While this can sound intimidating, with proper and early preparation, small businesses are finding their way to compliance, better security, and, ultimately, peace of mind. 

If you are an SMB trying to understand this regulation or others like it, you’re in the right place.

It’s critical to understand the basics of NYDFS and whether it applies to you.

What is NYDFS 500?

NYDFS 500 refers to part 500 of chapter 23, a regulation created by the New York Department of Financial Services (NYDFS). This segment in the regulation aims to establish cybersecurity requirements for companies in the financial service industry. 

NYDFS 500 can also be referred to as 23 New York Codes, Rules, and Regulations (NYCRR) 500 or New York State Department of Financial Security (NYSDFS) 500. NYDFS 500 specifically focuses on the protection of all nonpublic information, which refers to social security numbers, medical records, banking account numbers, etc. 

Who’s affected?

If you are a financial service, banking, or insurance company licensed in the State of New York, NYDFS 500 applies to you. Even if you aren’t physically operating out of NY, if you do business that requires NY licensures, this applies to you.

Why is this important?

Financial penalties for noncompliance can be steep and cyberattacks may threaten consumer data and overall trust in your services. On the flip side, if you follow the guidelines for a robust cybersecurity plan, you will become more appealing to prospective clients and protect the valuable personal information of your existing clients.

What are the requirements?

The requirements of NYDFS 500 are numerous and complex. You can find more information about the specific rules in the section below titled How to Comply

When do you need to be compliant?

This regulation has been in effect since 2017. It states that if you are a company “operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law,” you are required to comply annually and submit a report of compliance each year by April 15th.

But don’t panic. Get your business ready for compliance with Cyber Pop-up.

The cost of inaction can be steep and unbearable for small businesses.

The NYDFS 500 regulation is 14 pages long and includes four thousand words of legal and technical jargon that will make your eyes cross. While it's meant to be comprehensive, and the words are there for a reason, the complexity makes it nearly impossible for small businesses to navigate. Adding fuel to the fire, 67% of small businesses report not having the skills in-house to respond to these types of challenges. This results in inaction followed by costly consequences. Here are examples of consequences by sector:

Banking Law

Under NY Banking Law, the NYDFS penalties start at $2,500 a day for each day of noncompliance with NYDFS 500. If noncompliance is determined to be a “pattern” by the NYDFS superintendent, the fine may increase to $15,000 a day. If the superintendent decides that any violations have been committed “knowingly and willfully,” the fine will jump to $75,000 daily.

In the most severe case of noncompliance that “undermines public confidence in any such banking organization” or “threatens the safety and soundness of such banking organization,” the penalty is the lesser of $250,000 or 1% of bank assets. 

Insurance Law

Under NY Insurance law, the DFS superintendent will assign a $500 penalty for each offense of non-compliance. The total sum of penalties should not exceed $2500. If fines are not paid after 20 days from the mailing date, the superintendent has the power to revoke a company’s Insurance License. 

Financial Services Law

Under NY Financial Services Law, financial penalties should “not exceed $2,000 for each violation or where such violation is willful, $10,000 for each violation.” 

If the superintendent determines the presence of additional losses due to cybersecurity violations, they have the right to impose additional fines. These added penalties can be much more significant, as shown in the various examples.

In addition to financial penalties, another cost of noncompliance is brand damage. A company’s reputation is stained when it violates cybersecurity regulations, which is not easily forgotten in the internet age.

There is a necessity to disclose any security breaches or non-compliance with customers, which can negatively impact trust and discourage prospective clients. 

Companies of all sizes are facing the very real impacts of NYDFS non-compliance.

Here are some newsworthy stories of companies suffering from the wrath of noncompliance.

  • Residential Mortgage Services Inc. (RMS): The NYDFS enforced a financial penalty on a banking company in 2019 when Residential Mortgage Services Inc. (RMS), a mortgage lender based in Maine, was charged $1.5 million after experiencing a security breach. RMS had filed a compliance report stating that their cybersecurity program was up to code, but upon further inspection, the DFS discovered an unreported security breach that warranted the penalty. In addition to the fine, RMS was required to complete additional security measures and increase the training and monitoring of employees.

  • EyeMed Vision Care LLC: In October of 2022, EyeMed Vision Care LLC was charged a $4.5 million fine by the NYDFS after exposing customers’ nonpublic personal health information and data related to minors. The DFS determined that EyeMed had failed to use multi-factor authentication as required in NYDFS 500. 

Additionally, EyeMed did not limit their user access, did not implement proper data retention and disposal protocol, and did not conduct a thorough risk assessment. On top of the fine, EyeMed was required to conduct a cybersecurity risk assessment and create a comprehensive action plan.

  • Robinhood: In 2022 the NYDFS fined Robinhood Crypto $30 million due to their failure to comply with an anti-money laundering regulation as well as NYDFS 500. The DFS ruled that Robinhood had not adequately addressed their operational risks in their cybersecurity program. As a result of the penalty, Robinhood was required to employ an external consultant to determine further compliance with NYDFS regulations.

Good news. Very clear steps can be taken to comply with the regulation and reduce risk. 

This regulation aims to reduce the possibility of cyber-attacks, so the steps are numerous and involved. To summarize them, NYDFS 500 states that a compliant company must:

  • Build a “cybersecurity program” and assign a “qualified” individual to be a Chief Information Security Officer (CISO)
  • Create and follow a cybersecurity policy based on an annual company risk assessment. Specific areas the policy must cover are:

               - information security

               - data governance and classification

               - asset inventory and device management

               - access controls and identity management

               - business continuity and disaster recovery planning and resources

               - systems operations and availability concerns

               - systems and network security

               - systems and network monitoring

               - systems and application development and quality assurance

               - physical security and environmental controls

               - customer data privacy

               - vendor and third-party service provider management

               - risk assessment

               - incident response

  • Create a cybersecurity governance program that involves routine reporting and notifications to executives and a yearly report to the Board of Directors regarding the cybersecurity program and material cybersecurity risks
  • Conduct penetration testing every year and vulnerability assessments bi-annually
  • Implement multi-factor authentication (MFA) 
  • Encrypt data both in transit and at rest
  • Provide regular training on security awareness to all personnel and monitor the activity of both authorized and unauthorized users
  • Notify the NYDFS superintendent of any security events within 72 hours of their occurrence
  • Using the DFS Cybersecurity Portal, submit a Certification of Compliance report annually. Reports for the calendar year 2022 are due on April 15th, 2023

The requirement for annual compliance reports should be met by April 15th of every year. There is a proposed amendment that, if approved, will not be adopted until the beginning of 2023. After that time, specific requirements will take effect anywhere from 30-180 days after the amendment is adopted.

Even better news. There are partial exemptions that lighten the load for some small businesses.

There are partial exemptions to NYDFS 500, which consider companies’ size, resources, and the necessity for certain parts of the regulation. These exemptions exist to establish fundamental security protocol while reducing the scope of requirements for smaller companies. One partial exemption targets companies with fewer than ten employees and roughly 75% of businesses in NY employ fewer than ten people. 

Folks that are exempt from meeting some of the requirements under NYDFS 500: 

  • Have fewer than ten employees located in NY (this sum includes contractors)

OR

  • Have year-end assets total of less than $10 million

OR

  • A gross annual revenue from New York business for each of the last three years has been less than $5 million

OR

  • Do not utilize an Information System, nor do you generate or have access to nonpublic information

OR

  • Are an “employee, agent, representative or designee” of another “covered entity” and follow their NYDFS 500 compliant cybersecurity plan

As noted above, if licensed under NY Business, Insurance, or Financial Services law, you must comply with NYDFS 500, but some entities have more wiggle room than others.

Your journey to NYDFS doesn’t have to be overwhelming. Cyber Pop-up makes it easy.

As a small or mid-sized business, you may not have access to a team of cyber security specialists to help meet all the requirements of NYDFS 500. That’s where we come in.

Cyber Pop-up offers an affordable package specifically designed for companies like you! We help you build a comprehensive cybersecurity policy that prepares you to comply with NYDFS 500. 

With Cyber Pop-up, companies can access skilled cybersecurity expertise to fill their temporary cybersecurity needs while minimizing overhead costs and without going through the lengthy recruiting process. Cyber Pop-up offers flexible and efficient cybersecurity consulting that reduces the strain businesses face to secure their operations.

By leveraging bite-sized NIST-aligned projects, our on-demand cyber-experts will guide you through manageable steps to bring your security program up to code.

Conclusion

NYDFS 500 may be one of the more in-depth cybersecurity regulations out there, but given the growing concern surrounding cybersecurity, more states may soon follow suit

Whether you fall under the umbrella of companies needing to comply with NYDFS 500 or are outside of its scope, in this advancing age of technology, it is essential to have a strong cybersecurity plan and to understand what legal requirements you must meet. Get started here.