NYDFS Files Cybersecurity Regulation Charges

The first charged violation of 23 NYCRR Part 500, NYDFS Cybersecurity Regulation has been reported, with a hearing scheduled for later this year. Among other claims, the filing alleges “willful failure to remediate” a vulnerability. Covered Entities will be interested in lessons to be gleaned from this violation. Below are some quick initial takeaways that are valuable to keep in mind.

1. Risk Assessments Are The Beginning of Risk Management

Even with risk assessments and penetration tests, the covered entity must manage the identified risks. This includes review, remediation planning, documentation, and follow up. The entity in question had penetration test results identifying the vulnerabilities, but did not properly categorize and remediate the risk

2. Understand Your Applications

A primary cause of the miscategorization of the key vulnerability in the data exposure was related to the entity’s explanation or understanding of the data types associated with the system in question. According to the filing, the vulnerable system was seemingly identified as incapable of storing NPI (Nonpublic Information). This influenced the categorization, rightly or wrongly, of the vulnerability as “medium severity”.

3. Follow Your Policies and Plans

In the case of the subject covered entity, the planned remediation of identified vulnerabilities were not followed. The NYDFS filing alleges that even if the vulnerability had been categorized appropriately, the remediation should have been completed within 90 days, but was left unaddressed for more than six months.


Keep Reading

No Results Found

The page you requested could not be found. Try refining your search, or use the navigation above to locate the post.

How Can We Help?

Contact us and let us know a little about your project. One of our specialists will reach out.