Late last year the New York State Department of Financial Services updated its cybersecurity regulations for financial institutions. The updated 23 NYCRR 500 defines three categories of companies and associated levels of required compliance. The three groups defined are Class A, companies with limited exemption, and companies with full exemption. Most mortgage brokers and other small to medium-sized mortgage companies qualify for a 500.19(a) limited exemption. This exemption applies to financial organizations that either have less than $15,000,000 in year-end total assets, employ less than 20 employees and independent contractors, or earned less than $7,500,000 in each of the last 3 fiscal years. This means that while most mortgage shops don’t need to comply with every requirement in the 23 NYCRR 500, they still need to comply with many of them.
Will You Get Audited?
State Financial Services Examiners are actively contacting mortgage lenders and brokers across the state to conduct cybersecurity examinations. These examinations request 64 pieces of information and documents regarding your company’s cybersecurity practices and compliance with the 23 NYCRR 500. Examples of the requested information include a copy of your most recent risk assessment and an explanation of the framework and methodology used during the risk assessment. If you aren’t already compliant with the updated New York State cybersecurity regulations for mortgage lenders when you receive a request for examination, you can expect a lot of stress, confusion, and possibly even penalties as you scramble to produce the requested information.
What Are The Main Things You Should Know as a Mortgage Lender Trying To Comply With 23 NYCRR 500 (with a 500.19(a) limited exemption)?
- Reporting (April 15th) – Mortgage lenders must file either an attestation of compliance or a written acknowledgement of non-compliance by April 14th every year for the previous calendar year. This document must be signed by the company’s highest-ranking officer as well as the acting Chief Information Security Officer. For instructions on filing this attestation, click here.
- Policies & Procedures (April 29th) – Mortgage companies must update their written data security policies and procedures each year.
- Risk Assessment (April 29th) – Companies must conduct and update their cyber-risk assessment at least annually and each time there is a change in the technical or operational procedures at the company. A change in the software, hardware, or company operations can change your cyber-risk, necessitating an updated risk assessment.
- Cybersecurity Awareness Training (November 1st) – Mortgage lenders must complete annual cybersecurity awareness training by November 1st of each year. The training must include social engineering as a topic. Make sure you record which employees complete the training, what the curriculum is, and when it is completed each year.
- Review and Manage User Access Controls (May 1st each year, beginning in 2025) – Companies are required to review and manage user access privileges at least annually beginning in 2025. This consists of assessing whether or not employees need access to all of the data and resources they currently have access to, restricting user access to only allow employees to access the files they need to access for their jobs, and removing employees’ access to data/information they no longer need.
- Assess third-party providers’ cybersecurity practices – It is important to regularly assess the cybersecurity practices of the third party services you use. This is especially important for all services/providers that could potentially gain access to company or client information.
- Securely dispose of Client Information that is no longer required to be stored – This includes all copies of this data such as paper versions, backups, files stored in the cloud, etc…
- Report cybersecurity incidents and extortion payments – All cybersecurity incidents must be reported to the NYS DFS within 72 hours.
- Implement Multi–Factor Authentication – MFA must be implemented for services that provide access to your business network, information systems, client databases, cloud storage, or anything else that stores/accesses client information.
- Create and Maintain an Asset Inventory List – By November 1st, 2025, you must develop and maintain an up-to-date asset inventory list that details any IT systems and workstations. This list must information about systems such as their make/model, version number, and operating system.
As with most data security requirements, it’s important to remember that these aren’t just regulations, they’re necessary steps that should be taken to safeguard your borrowers’ data. In addition to the 23 NYCRR 500, all mortgage lenders must also comply with the GLBA Safeguards Rule. In fact, when New York State examiners conduct a cybersecurity examination, some of the questions reference the GLBA Safeguards Rule, seeking confirmation of GLBA compliance.
If you are worried about your company’s compliance with the 23 NYCRR 500 or just don’t know where to start, reach out to us anytime by calling 801.382.9567 or by emailing me at [email protected]. We offer 23 NYCRR 500 consulting billed hourly, as well as our popular LendSafe Comprehensive Data Security Program for Mortgage Lenders, where we help implement and maintain your information security program for you. We have experience assisting mortgage brokers as small as 1 employee up to companies with hundreds of employees with data security regulatory compliance. Alternatively, sign up for a time with our mortgage data security regulation consultants here.