Cybersecurity Advisory: IC3 Releases Report on Internet Crimes and NYSDFS issues FAQs on Cybersecurity Regulation

June 30, 2017

This advisory contains information about the Federal Bureau of Investigation Internet Crime Complaint Center's (IC3) 2016 Internet Threat report and the New York State Department of Financial Services' (NYSDFS) FAQs regarding their cybersecurity regulation 23 NYCRR Part 500.

IC3 Releases 2016 Internet Threat Report

The IC3 recently released its 2016 Internet Threat report which highlights reported cyber crimes and common complaints. Highlights from the report include:

  • Internet crimes increased by 11,000 and total losses increased by $380 million compared to the same period in 2015.
  • Common cyber crimes reported to the IC3 in 2016 included ransomware, business email compromise, tech support fraud, and extortion.
  • The IC3 received over 12,000 business email compromise complaints in 2016 with losses totaling over $360 million.
  • The IC3 estimates that only 15% of cyber crimes are reported and encourages victims to file complaints to help law enforcement understand and address cyber crimes more effectively.

NYSDFS Issues FAQs on Cybersecurity Regulation

NYSDFS on June 20 issued FAQs regarding the 23 NYCRR Part 500 regulation, which establishes cybersecurity requirements for financial service firms. The FAQs address the application to different entities, notice requirements for cybersecurity events, annual certifications requirement, and continuous monitoring.

Highlights from the FAQs include:

  • Covered Entities - New York branches of out-of-state domestic banks and out-of-country foreign banks are required to comply with the regulation.
  • Notice Requirements for Cybersecurity Events - Covered entities must report events to the Department of Cybersecurity Events if they're likely to materially harm any of the normal operations of the covered entity. Events must be reported within 72 hours from determination of occurrence and consumers must also be notified.
  • Annual Certifications - Covered entities must certify their compliance annually with the regulations. The first certification is due February 15, 2018.
  • Continuous Monitoring - Effective monitoring should be able to continuously detect changes or activities that might create or show the existence of malicious activity or vulnerabilities.

If you would like to receive guidance regarding the NYSDFS cybersecurity regulation or have any questions, please contact your ACA Aponix consultant or email us at