Regulations

 View Only
  • 1.  Proposed "Computer-Security Incident Notification Requirements for Banking Organizations and Their Service Providers"

    Posted 01-04-2021 07:30 AM
    Regulatory alert! The OCC, Federal Reserve and related federal regulatory bodies have issued a notice of proposed rulemaking. If implemented the proposed regulations would:

    1) define which type of cybersecurity incidents would need to be reported to federal regulators and
    2) require reporting for any such incidents within 36 hours after determining that such an incident has occurred.

    Service Providers are required to alert their banking institution customers of any incident which may disrupt services for at least 4 hours.

    A couple things to note:

    - Method and content of the notification is not defined. Such notification is expected to simply be an "early warning" to regulators
    - The incident need not involve a security breach of customer data to be triggered.

    For more information, look here:

    https://www.jdsupra.com/legalnews/federal-financial-regulators-propose-77305/?origin=CEG&utm_source=CEG&utm_medium=email&utm_campaign=CustomEmailDigest&utm_term=jds-article&utm_content=article-link


  • 2.  RE: Proposed "Computer-Security Incident Notification Requirements for Banking Organizations and Their Service Providers"

    Posted 01-04-2021 08:28 AM

    RE: / https://www.jdsupra.com/legalnews/federal-financial-regulators-propose-77305
    Hi Joe,
    Thanks for sharing the link here.

    At state level, prior to Dec 18th, NY DFS required 72 hours notification.   However, on December 18th at 1pm ET, NY DFS demanded any covered entity who directly used or had a third party that used "Solarwinds Orion" network management software, to immediately create a cyber security notification incident which was unprecedented although widely supported by the organizations I spoke with as the state being very proactive in maintaining the viability of communications based on NY DFS 23 NYCRR 500 and fitting it to events.

    NY GOV CISO CYBER SECURITY ADVISORIES:  https://its.ny.gov/ciso/advisories 
    Multiple Vulnerabilities in SolarWinds N-Central Could Allow for Remote Code Execution https://its.ny.gov/security-advisory/multiple-vulnerabilities-203 


    All the best,
    Larry




  • 3.  RE: Proposed "Computer-Security Incident Notification Requirements for Banking Organizations and Their Service Providers"

    Posted 01-04-2021 03:53 PM
    I read the email from NY DFS as directives to review the indicators of compromise and mitigation recommendations. If your company was affected (had the files/areas of exploitation in your instance for example) then you would need to report.  
    Given the sophistication and persistence of the malware and the adversary, we ask any affected institution to file a notice immediately.

    We recently implemented Solarwinds, did not have an issue with our configuration, therefore were not affected and did not report a notice.  Does anyone else read this the same way?


  • 4.  RE: Proposed "Computer-Security Incident Notification Requirements for Banking Organizations and Their Service Providers"

    Posted 01-06-2021 02:17 PM

    NY DFS demanded any covered entity who directly used or had a third party that used "Solarwinds Orion" network management software, to immediately create a cyber security notification incident

    I haven't heard of this, do you have a source?




  • 5.  RE: Proposed "Computer-Security Incident Notification Requirements for Banking Organizations and Their Service Providers"

    Posted 01-07-2021 09:55 AM
    Hi Brian,
    Yes, there was an official email blast at around 1:00PM ET  (12:48PM in our case)

    It was send from noreply@dfs.ny.gov to our CEO (i.e., the one that submits the certification of compliance on behalf of the board of directors on Feb 15th each year).

    Please refer to these 2 links:
    1. https://its.ny.gov/ciso/advisories
    #2020-170 12/18/2020 Multiple Vulnerabilities in SolarWinds N-Central Could Allow for Remote Code Execution

    2. https://its.ny.gov/security-advisory/multiple-vulnerabilities-203

    The mail header of the official letter started as follows.
    ========

    Subject: Supply Chain Compromise Alert

    To:                   Chief Executive Officers, Chief Information Officers, and Chief Information Security Officers of all Regulated Entities

    From:              Cybersecurity Division, Department of Financial Services (DFS)

    Subject:           Supply Chain Compromise Alert

    Date:               December 18, 2020

    ...




  • 6.  RE: Proposed "Computer-Security Incident Notification Requirements for Banking Organizations and Their Service Providers"

    Posted 01-07-2021 10:33 AM

    We interpreted the email to say go through the steps to see if you were affected, and if you were affected then you need to send a notice.

    Not everyone sending a notice no matter what.

    Kathy

     

    Kathleen Zarzycki, CPCU, CISO | CIO | VP Information Technology | Greater New York Insurance Companies |