New DFS Rules in New York Impact 3rd Party Providers 

By in

What You Need to Know:

The worst time to point the finger is during a security breach – who’s responsible? C-Suite or the IT Department? With new regulations put forth by the New York Department of Finance and Security, (specifically, DFS 23 NYCRR section 500,) the responsibility gets even murkier as a demand for defining how to regulate 3rd party providers comes to the forefront.

After receiving 150 comments on proposed Rule 23 NYCRR 500 from individuals and entities, including a variety of regulated entities and trade associations, the New York State Department of Financial Services (DFS) delayed by two months the implementation of its regulation. The regulations took place on March 1st and companies operating in New York state have until September 1st, 2017 to be in compliance.

One of the commentators, Worldwide ERC, a global employee relocation company, had concerns because a number of their employers are deemed “Covered Entities” by the DFS, therefore, as a 3rd party doing business with Covered Entities, are they subject to the stringent cyber security requirements of the new rules? In November 2016, Worldwide ERC submitted a comment letter requesting a clearer understanding of what types of companies would be subject to the regulations proposed by the New York DFS you can read here:

http://www.worldwideerc.org/gov-relations/Documents/11-14-201623NYCRR500Comments.pdf

February 6th, 2017, The New York DFS responded and even delayed the regulations by two months. While it’s commendable that the New York DFS is proactively addressing cybersecurity, there are areas that still remain murky for 3rd party contractors.

http://www.dfs.ny.gov/legal/regulations/proposed/rp500apc.pdf

Some of the good news for 3rd party providers:

–  DFS has eliminated a provision in section 500.11(b) that may have unintentionally suggested that Covered Entities are required to audit the systems of all third party service providers. Also, in response to comments seeking greater clarity in regard to the requirements of this section, the Department has added a defined term, “Third Party Service Provider(s).

– The Department has included a limited exemption for a Covered Entity that does not directly or indirectly operate, maintain, utilize or control any Information Systems, and that does not control, generate, receive or possess Nonpublic Information.

– The Department has included an exemption for an employee, agent, representative, designee or Affiliate of a Covered Entity, who is itself a Covered Entity, to the extent that the employee, agent, representative, designee or Affiliate is covered by the cybersecurity program of the Covered Entity.

– The Department has amended the limited exemption in section 500.19(a) by adding Covered Entities with fewer than 10 employees including independent contractors, deleting Covered Entities with fewer than 1000 customers in each of the last three calendar years, and changing “and” to “or” in two locations.

If your company is working with a Covered Entity in New York State, your best bet is to speak with legal counsel to ensure you’re in compliance with the new DFS rulings.

Setting Up A Cybersecurity Plan

If you, as a small business, deal with Covered Entities, it would not be a bad idea to have your own Cybersecurity Plan written up to be presented if asked.  Here are some things you can look at within your own business.

  1. Employee ID Badges: Does your staff have ID badges with current pictures, clearly identified access levels to minimize people falsely claiming they work for your company?
  2. Computer Updates:Make sure you protect your data by having the latest security software, your operating system, and web browser updated with the latest security and bug fixes.  Make sure any software you’re use to run your billing and customer management are updated as well.  Do regular virus and malware scans.
  3. Backup Data: Make regular backups ofimportant data either manually or automatically at least weekly and store copies either offsite or in the cloud.  SecurShred can help with our Storage Services.
  4. Protect your internet connectionby using a firewall that can present outsiders from access your data and in some cases prevent some data from being transmitted from your computers.  If employees work from home, make sure their systems are protected as well.
  5. Secure Your WI-FInetworks by making sure it’s encrypted and does not broadcast its Service Set Identifier (SSID).  Make sure your router itself is password protected and not using the default username and password since these can be found easily online.
  6. Limit employee access to data.  Employees should only be given access to the data they need to do their job.  Any one employee should not have access to all data.
  7. Usernames and passwordsshould be used by all employees to access systems that are unique.  There should not be one password that everyone uses or employees should not share their information with others.  Passwords should be at least 16 characters, use alphanumeric plus numbers and symbols, capital and lowercase and should be required to change frequently with more sensitive data.
  8. Multi-level Authenticationshould also be used instead of just relying on passwords.  This can be the use of a physical “key” (USB device) that needs to be plugged in in order to login, a code that is generated and sent to your phone or another authentication device, or biometrics (fingerprint scanner, face scanner, eye scanner).
  9. Secure your website and cloud-based softwareIf you have customer information that is accessible via the internet make sure your site is running with a Secure Socket Layer (SSL) Certificate.  This changes your http://yoursite.com to the more secure https://yoursite.com.  Adopt the same principals to your website that you do with your computers (i.e. usernames and passwords, multi-level authentication, controlled access to data).
  10. Handle old computers and hard drives with careby completely destroying them when they are no longer in use.  Check out our hard drive destruction services.

You can get more information and download a Cybersecurity Checklist for your business below.

https://www.fcc.gov/general/cybersecurity-small-business
https://www.utah.gov/beready/business/documents/BRUCyberSecurityChecklist.pdf