Technology Blog »

EDR Required NYS DFS Under Updated Rules 500 by December 1, 2023?

Is EDR required by November 1 DFS 500.23

Financial services companies operating in New York must comply with the Cybersecurity Regulation (23 NYCRR Part 500), which was enacted by the Department of Financial Services (DFS) in 2017. This regulation mandates the implementation of certain cybersecurity measures to safeguard their information systems and nonpublic information. However, it is essential to note that the rule was amended, and the revised requirements will take effect on November 1, 2023. One of the new requirements pertains to reporting Ransomware deployments and ransom payments, and it will become effective in December. To learn more about how these new regulations will impact your business, continue reading.

New Ransomware Reporting Requirement: Understanding Its Implications

Effective December 1, 2023, Covered Entities under Rule 500.17 must promptly report ransomware deployments and any ransom payments made to DFS. This new requirement aims to enhance DFS's understanding of the prevalence and impact of ransomware attacks on financial institutions.

To comply with this regulation, Covered Entities must submit a comprehensive report to DFS within 72 hours of becoming aware of a ransomware attack. The report should include detailed information such as the date and time of the attack, the type of ransomware used, the extent of data encryption, and whether ransom payments were made.

EDR Software: A Critical Tool for Ransomware Defense and Compliance

Endpoint detection and response (EDR) software plays a pivotal role in helping businesses meet the new requirements of Rule 500, particularly in addressing the ransomware reporting mandate. EDR software provides real-time visibility into endpoint activity, enabling rapid detection and response to cyberattacks, including ransomware.

While the rule doesn't specifically mandate EDR software, it would significantly reduce the likelihood of a ransomware incident, thereby minimizing the need for cumbersome reporting. SentinelOne, a leading EDR provider, offers a solution to prevent ransomware attacks effectively, reducing the risk of data loss and financial impact.

The Role of EDR Software

  1. Proactive Threat Detection: EDR software provides advanced capabilities to detect threats that traditional security measures might miss. This aligns with Section 500.02's requirement for a cybersecurity program that can identify and mitigate risks.

  2. Enhanced Response and Recovery: In line with Section 500.03, which necessitates a policy for responding to and recovering from cybersecurity events, EDR platforms offer superior response mechanisms to mitigate the impact of security incidents.

  3. Comprehensive Policy Support: An effective cybersecurity policy under Section 500.03 should encompass advanced threat detection and response strategies, areas where EDR software excels.

The Risk of Non-Adoption

The fines for non-compliance with Cybersecurity Rule 500 can be significant. Covered Entities that fail to comply with the rule may be subject to civil penalties of up to $5,000 per violation per day. In addition, DFS may order Covered Entities to take corrective action and may even revoke or deny their licenses to operate in New York State.

Here is a table of the potential fines for non-compliance with Cybersecurity Rule 500:

Violation Fine
Failing to implement a cybersecurity program Up to $5,000 per day
Failing to appoint a chief information security officer (CISO) Up to $5,000 per day
Failing to conduct a comprehensive cybersecurity risk assessment Up to $5,000 per day
Failing to implement risk-based cybersecurity controls Up to $5,000 per day
Failing to implement identity and access management controls Up to $5,000 per day
Failing to implement data governance controls Up to $5,000 per day
Failing to implement third-party vendor management controls Up to $5,000 per day
Failing to report a cybersecurity incident to DFS within 72 hours Up to $5,000 per day
Failing to report ransom payments made to DFS Up to $5,000 per day

It is important to note that these are just maximum penalties and that DFS will determine the actual amount of any fine on a case-by-case basis. DFS will consider a number of factors when determining the appropriate fine, including the severity of the violation, the size and financial resources of the Covered Entity, and the Covered Entity's history of compliance with cybersecurity regulations.

In addition to civil penalties, non-compliance with Cybersecurity Rule 500 can also lead to reputational damage and loss of customer trust. Businesses that are found to have failed to protect their customers' data from cyberattacks can face significant financial losses and may even be forced to close their doors.

For all of these reasons, it is imperative for small businesses in the financial services sector to take steps to comply with Cybersecurity Rule 500.

How DCS Can Assist Your Partner in Navigating Cybersecurity Challenges

Delaney Computer Services, a trusted SentinelOne partner, is committed to providing comprehensive cybersecurity solutions tailored to the specific needs of small businesses in the financial services sector. DCS offers a range of services to help businesses implement SentinelOne's EDR solution, including:

  • Deployment and configuration: DCS will help you deploy and configure SentinelOne's EDR solution to ensure optimal endpoint protection.

  • Threat hunting: DCS can help you identify and remediate potential threats before they can cause damage.

Next Steps

  • Assessment: Let's evaluate your cybersecurity measures and identify how EDR can enhance compliance.
  • Implementation: We can facilitate the seamless integration of EDR software into your existing cybersecurity framework.
  • Continuous Support: Our team offers ongoing support and monitoring to ensure your cybersecurity remains robust and compliant.

Contact Us Today

With the November deadline approaching, now is the time to act. Contact us to fortify your cybersecurity defenses and ensure compliance with these critical regulatory requirements.