New York v. Illegal Withdrawal Specialists (23 NYCRR 500)

A brief introduction into the recent New York State Department of Financial Services 23 NYCRR 500 cybersecurity regulations.

“I rob banks because that’s where the money is.”,

-Willie Sutton, reported in the Saturday Evening Post, January 20, 1951

Sutton never said that, but he did use a Tommy gun to rob $2M (roughly $19M today) over his infamous career.  These days you don’t need a firearm to steal more than Sutton ever dreamed of - for example, just infiltrate the SWIFT (Society for Worldwide Interbank Financial Telecommunication) messaging system.

Back in 2016, hackers stole $81M dollars from the Federal Reserve Bank of New York.  The total could have actually been $1B (yes, Capital-B Billion) had the perpetrators not made a typo in one of their fraudulent transfer requests, which brought the operation to a halt.  That attack was just the tip of the proverbial iceberg, raising enough concern for SWIFT to call for several new security measures, including two-factor authentication to verify system messages.

Around the same time, New York’s Attorney General announced efforts to electronically streamline data breach notification in the wake of a record number of breaches.  And that brings us to 23 NYCRR 500 (in human-readable form, “Cybersecurity Requirements for Financial Services Companies”), proposed by New York’s Department of Financial Services the same year.

Effective March 1, 2017, covered entities were required to make their first annual certification filings by February 15, 2018.  Any institution operating, “…under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law” must comply with the regulations.  Therefore, if you engage in any financial business in the State of New York, you must follow the rules (entities with fewer than 10 employees, less than $5M in gross annual revenue, or less than $10M in year-end total assets are exempt).

Fortunately, NYDFS didn’t reinvent the wheel when proposing the regulations which map to the NIST Cybersecurity Framework’s Core Functions: Identify, Protect, Detect, Respond, and Recover.  Some terminology differences notwithstanding, that’s essentially what everybody ought to be doing anyway to mitigate information security risks.

DFS built in a two-year transition period to allow covered entities to gradually address each component, rather than overwhelming them with everything being resolved in one fell swoop.  That period ended March 1, 2019, so now thousands of institutions in New York must be in total compliance with the following major areas:

• Section 500.02: Implement a Cybersecurity Program
• Section 500.03: Write and Maintain a Cybersecurity Policy
• Section 500.04: Designate a Chief Information Security Officer
• Section 500.10: Hire Cybersecurity Professionals or Contract Third-party Vendors
• Section 500.16: Develop an Incident Response Plan

Additionally, organizations must conduct regular penetration testing (Section 500.05) and bi-annual risk assessments (Section 500.09), maintain audit trails (Section 500.06), and encrypt sensitive data both in transit and at rest (Section 500.15), among other security practices.  The regulations will be enforced by DFS “under any applicable laws,” meaning failure to comply can open a company up to civil and criminal actions under existing statute, such as New York’s banking laws.