Financial services companies operating in New York must comply with the Cybersecurity Regulation (23 NYCRR Part 500), which was enacted by the Department of Financial Services (DFS) in 2017. This regulation mandates the implementation of certain cybersecurity measures to safeguard their information systems and nonpublic information. However, it is essential to note that the rule was amended, and the revised requirements will take effect on November 1, 2023. One of the new requirements pertains to reporting Ransomware deployments and ransom payments, and it will become effective in December. To learn more about how these new regulations will impact your business, continue reading.
New Ransomware Reporting Requirement: Understanding Its Implications
Effective December 1, 2023, Covered Entities under Rule 500.17 must promptly report ransomware deployments and any ransom payments made to DFS. This new requirement aims to enhance DFS's understanding of the prevalence and impact of ransomware attacks on financial institutions.
To comply with this regulation, Covered Entities must submit a comprehensive report to DFS within 72 hours of becoming aware of a ransomware attack. The report should include detailed information such as the date and time of the attack, the type of ransomware used, the extent of data encryption, and whether ransom payments were made.
EDR Software: A Critical Tool for Ransomware Defense and Compliance
Endpoint detection and response (EDR) software plays a pivotal role in helping businesses meet the new requirements of Rule 500, particularly in addressing the ransomware reporting mandate. EDR software provides real-time visibility into endpoint activity, enabling rapid detection and response to cyberattacks, including ransomware.
While the rule doesn't specifically mandate EDR software, it would significantly reduce the likelihood of a ransomware incident, thereby minimizing the need for cumbersome reporting. SentinelOne, a leading EDR provider, offers a solution to prevent ransomware attacks effectively, reducing the risk of data loss and financial impact.
Proactive Threat Detection: EDR software provides advanced capabilities to detect threats that traditional security measures might miss. This aligns with Section 500.02's requirement for a cybersecurity program that can identify and mitigate risks.
Enhanced Response and Recovery: In line with Section 500.03, which necessitates a policy for responding to and recovering from cybersecurity events, EDR platforms offer superior response mechanisms to mitigate the impact of security incidents.
Comprehensive Policy Support: An effective cybersecurity policy under Section 500.03 should encompass advanced threat detection and response strategies, areas where EDR software excels.
The fines for non-compliance with Cybersecurity Rule 500 can be significant. Covered Entities that fail to comply with the rule may be subject to civil penalties of up to $5,000 per violation per day. In addition, DFS may order Covered Entities to take corrective action and may even revoke or deny their licenses to operate in New York State.
Here is a table of the potential fines for non-compliance with Cybersecurity Rule 500:
|Failing to implement a cybersecurity program||Up to $5,000 per day|
|Failing to appoint a chief information security officer (CISO)||Up to $5,000 per day|
|Failing to conduct a comprehensive cybersecurity risk assessment||Up to $5,000 per day|
|Failing to implement risk-based cybersecurity controls||Up to $5,000 per day|
|Failing to implement identity and access management controls||Up to $5,000 per day|
|Failing to implement data governance controls||Up to $5,000 per day|
|Failing to implement third-party vendor management controls||Up to $5,000 per day|
|Failing to report a cybersecurity incident to DFS within 72 hours||Up to $5,000 per day|
|Failing to report ransom payments made to DFS||Up to $5,000 per day|
It is important to note that these are just maximum penalties and that DFS will determine the actual amount of any fine on a case-by-case basis. DFS will consider a number of factors when determining the appropriate fine, including the severity of the violation, the size and financial resources of the Covered Entity, and the Covered Entity's history of compliance with cybersecurity regulations.
In addition to civil penalties, non-compliance with Cybersecurity Rule 500 can also lead to reputational damage and loss of customer trust. Businesses that are found to have failed to protect their customers' data from cyberattacks can face significant financial losses and may even be forced to close their doors.
For all of these reasons, it is imperative for small businesses in the financial services sector to take steps to comply with Cybersecurity Rule 500.
How DCS Can Assist Your Partner in Navigating Cybersecurity Challenges
Delaney Computer Services, a trusted SentinelOne partner, is committed to providing comprehensive cybersecurity solutions tailored to the specific needs of small businesses in the financial services sector. DCS offers a range of services to help businesses implement SentinelOne's EDR solution, including:
Deployment and configuration: DCS will help you deploy and configure SentinelOne's EDR solution to ensure optimal endpoint protection.
Threat hunting: DCS can help you identify and remediate potential threats before they can cause damage.
With the November deadline approaching, now is the time to act. Contact us to fortify your cybersecurity defenses and ensure compliance with these critical regulatory requirements.