Remember NYS-DFS? First Enforcement Action

First Enforcement Action Signals a Need for Cyber Review

In March 2017, the New York State Department of Financial Services passed their cyber law – Cybersecurity Requirements for Financial Services Companies, 23 N.Y.C.R.R. Part 500 (NYS-DFS 500).   The law imposed formal cyber security requirements for covered insurance entities and their vendors.  This law was groundbreaking at several levels, most notably that it required formal management accountability for cyber security.

It took nearly 3 years, but the first enforcement action was taken against First American Title Insurance Co.  The main breach occurred because of a web site vulnerability.   However, as is typical, the enforcement action highlighted numerous failures of internal controls.  In total, DFS declared six different compliance violations, including 23 NYCRR 500.03: The requirement to maintain a written policy or policies, approved by senior management, setting forth the covered entity’s policies and procedures for the protection of its information systems and the nonpublic personal information (“NPI”) stored on those systems.  

In fact, the company was cited for not following its own written policies.  While the organization did have vulnerability scanning enabled, it apparently failed to review the results and take proper remediation steps.

Management Accountability Wake-up Call

This enforcement action should be a wake-up call to organizations that are subject to NYS-DFS, but have not taken the formal steps needed to establish a robust cyber security program.  One of the key elements of the law is the requirement for Senior management to formally “attest” to the effectiveness of the program.

Section 500.16 (b) Annually each Covered Entity shall submit to the superintendent a written statement covering the prior calendar year. This statement shall be submitted by February 15 in such form set forth as Appendix A, certifying that the Covered Entity is in compliance with the requirements set forth in this Part.

This implies that the organization has established a formal program, properly assigned and documented security roles, and regularly tests the implementation of their program.  For organizations that “mailed it in” – signing the formal document without the proper analysis – the NYS-DFS requires the maintenance of compliance artifacts for a period of 5 years.

Streamline NYS-DFS Compliance

The enforcement action highlights the need for a comprehensive approach to cyber security, that involves regular testing and monitoring of the program. For organizations that need to jump-start a robust cyber security program, ComplianceShield enables the rapid development and documentation of a program that addresses all NYS-DFS cyber security requirements.  NYS-DFS is just one of the many regulatory frameworks covered by our Common Policy Library (CPL) and enabled by our compliance automation software.