The first charged violation of 23 NYCRR Part 500, NYDFS Cybersecurity Regulation has been reported, with a hearing scheduled for later this year. Among other claims, the filing alleges “willful failure to remediate” a vulnerability. Covered Entities will be interested in lessons to be gleaned from this violation. Below are some quick initial takeaways that are valuable to keep in mind.
1. Risk Assessments Are The Beginning of Risk Management
Even with risk assessments and penetration tests, the covered entity must manage the identified risks. This includes review, remediation planning, documentation, and follow up. The entity in question had penetration test results identifying the vulnerabilities, but did not properly categorize and remediate the risk
2. Understand Your Applications
A primary cause of the miscategorization of the key vulnerability in the data exposure was related to the entity’s explanation or understanding of the data types associated with the system in question. According to the filing, the vulnerable system was seemingly identified as incapable of storing NPI (Nonpublic Information). This influenced the categorization, rightly or wrongly, of the vulnerability as “medium severity”.
3. Follow Your Policies and Plans
In the case of the subject covered entity, the planned remediation of identified vulnerabilities were not followed. The NYDFS filing alleges that even if the vulnerability had been categorized appropriately, the remediation should have been completed within 90 days, but was left unaddressed for more than six months.