Chris Eckert, CPA
Continuing Care Retirement Communities (CCRC) Must Submit a Certification of Compliance with New York State Department of Financial Services Cybersecurity Regulations
Regulation 23 NYCRR Part 500 (cybersecurity regulation) was issued by the New York State Department of Financial Services (DFS) in March of 2017. DFS stated in writing on February 28, 2018 that Continuing Care Retirement Communities (CCRC) are covered by the requirement. An effort in the Senate, proposed to amend the insurance law, in relation to authorizing CCRCs to adopt a written cybersecurity policy rather than complete the required full attestation.
The purpose of the bill was to permit CCRCs to attest to the DFS that the CCRC’s cybersecurity policies are not inconsistent with cybersecurity regulations promulgated by the superintendent. The bill was approved, unanimously, by the Insurance Committee and the Rule Committee. On December 7, 2018 the Governor vetoed the bill.
DFS’s position regarding compliance has remained constant:
All CCRCs that failed to submit the Certification but are in compliance with the regulation should do so via the DFS cybersecurity portal as soon as possible. “…The DFS Certification of Compliance is a critical governance pillar for the cybersecurity program of DFS regulated entities, and DFS takes compliance with the regulation seriously. The Department will consider a failure to submit a Certification of Compliance as an indicator that the cybersecurity program of the Covered Entity has a substantive deficiency.”
We interpret this to mean that any entity that has not complied with the regulation should take the necessary steps to become compliant as soon as possible.
23 NYCRR 500 Compliance: What Does the Regulation Require?
The regulation stipulates that covered entities meet the following requirements:
- Assess whether the risk assessment program adequately addresses cybersecurity risks and that the outputs from such assessments are used in the cybersecurity program
- Assess the cybersecurity policy to determine whether it adequately addresses the regulation’s
- Assess whether the cybersecurity program, based on a risk assessment, sufficiently addresses the regulation’s requirements related confidentiality, integrity and availability
- Assess the approach to addressing the regulation’s requirement for a Chief Information Security
- Assess the current business continuity and recovery plan and its ability to maintain security audit trails to determine compliance with the regulation’s
- Assess the user access provisioning and access maintenance policies, procedures and
- Assess the software acquisition, development and change management policies, procedures and controls to determine whether cybersecurity requirements are adequately
- Assess whether the organization utilizes qualified and competent personnel to develop, implement, maintain and enforce its cybersecurity program and
- Assess the third-party risk management program to determine whether it adequately addresses cybersecurity
- Determine whether the organization adequately addresses the multifactor authentication
- Assess the data retention and disposal policy, procedures and
- Assess the approach to cybersecurity training and
- Assess the approach to encrypting non-public
- Assess the quality of the incident response
When Do I Need to Comply with 23 NYCRR Part 500?
The recent actions by the Governor do not change the fact that covered entities are required to comply with the timeline as originally prescribed in the regulation. DFS has stated that attestations should be submitted “as soon as possible”. It should also be noted that the two-year transition period ends on March 1, 2019 so all elements of Regulation 23 NYCRR part 500 will be required to be complied with under the regulation as currently written by that date. In our opinion non-compliant organizations should take these regulations seriously and ensure compliance as quickly as is reasonably possible.
What are the 23 NYCRR 500 Penalties for Non-Compliance?
The regulation does not specifically detail penalties for non-compliance. The regulation states “This regulation will be enforced by the superintendent pursuant to, and is not intended to limit, the superintendent’s authority under any applicable laws”. Absent any specific guidance it is reasonable to assume that enforcement actions could arise pursuant to the general authority of DFS under the NY Banking law, which allows the superintendent of DFS to require a regulated entity to pay a penalty “for any violation of any regulation promulgated. NY Banking law authorizes up to (1) $2,500 per day during which a violation continues (b) $15,000 per day in the event of any reckless or unsound practice or pattern of miscount, or (c) $75,000 per day in the event of a knowing and willful violation.
How Can Freed Maxick Help with 23 NYCRR 500 Compliance?
At Freed Maxick we understand that some CCRCs may be challenged to implement the full complement of security policies and procedures required by the regulation.
A Cybersecurity Assessment completed by our certified security analysts can provide an evaluation of which areas of the DFS regulations an organization currently complies with, and which areas it could improve upon and doesn’t meet. This assessment can examine the organization’s current security posture in alignment with the NIST Cybersecurity Framework (CSF), as well as the controls examined in the DFS 23 NYCRR Part 500 document.
For more information about our cybersecurity assessments and other related programs and services, please contact Sam DeLucia at 585.360.1405.