NY Sets The Precedent for Cybersecurity Regulations

05.28.2018

In March 2017, the New York State Department of Financial Services (DFS) implemented 23 NYCRR 500, generally referred to as the New York Cybersecurity Regulation. Its aim is to encourage financial services firms doing business in the state to minimize their security risks. Although many experts see the regulation as flawed, 23 NYCRR 500 is expected to set a precedent for cybersecurity laws and regulations in other states.

Much like the European Union’s General Data Protection Regulation (GDPR), the New York Cybersecurity Regulation has far-ranging geographic reach.  The regulation affects businesses who have headquarters in New York as well as businesses who conduct operations in New York or with New York based customers.

 

 

What does this regulation target?

A 23 NYCRR 500 “covered entity” is any person or organization that is authorized to operate in the state of New York under banking law, insurance law, or financial services law. This includes out-of-state organizations that do business in New York as well as “affiliates,” which are persons with the power to direct or influence the policies of an organization. Exemptions from all or parts of 23 NYCRR 500 include organizations that:

  • Have fewer than 10 employees, including contractors, of the covered entity or affiliates located in New York
  • Have less than $5 million in gross annual revenue from New York operations by the covered entity and affiliates in each of the last three years
  • Have less than $10 million in year-end total assets, including assets of affiliates
  • Do not directly or indirectly operate, maintain, use, or control any information systems

If your organization meets any of the above criteria, you must submit a certification form to be exempt from these regulations.

Why was this implemented?

The regulation is the New York DFS’s response to “the ever-growing threat posed to information and financial systems by nation-states, terrorist organizations and independent criminal actors.” The organizations of this regulation are trying to prevent financial losses and theft of personal data.

What you need to know:

The regulation makes clear what an organization needs to do to comply but offers little guidance on how to implement. It is up t each organization to make sure they are following the regulations and are in compliance. DFS has left it up to the companies to choose their technologies to meet the security requirements. Organizations could be at risk of being non-compliant by doing too little or place an unnecessary burden on them if they do too much.

The reasoning behind leaving out how to implement these regulations? Technology changes too quickly. Prescribing specific solutions could leave the regulations outdated and companies at risk of attack. Allowing the organizations to choose how to implement will ensure data stays protected and eliminates fault from the regulations.

There are two important items you should be aware of: what to report and how your data is classified. The regulations give guidance as to what incidents to report but not what incidents not to report. Determining when to report and when not to is up to the companies to sort out.

Security teams also need to understand the DFS’s definition of non-public information. The New York definition of non-public information includes confidential information such as any information that could harm the company if released. Non-public information used to mean social security number but confidential information is far more reaching.

Where to begin?

1) Develop a cybersecurity program

All covered entities are required to have a formal cybersecurity program to protect the confidentiality, integrity and availability of their information systems. This program will be based on a required risk assessment and focuses on these core functions:

  • Identify and assess internal and external risks
  • Implement a defensive infrastructure along with policies and procedures to protect systems from unauthorized access, use, or other malicious acts
  • Detect cybersecurity events
  • Respond to identified or detected cybersecurity events to mitigate “negative effects”
  • Recover from cybersecurity events and restore normal services
  • Fulfill regulatory reporting obligations

All covered entities are required to document all information relevant to the cybersecurity program.

2) Set a cybersecurity policy

The regulation requires each covered entity to have a written cybersecurity policy that is approved by its senior management or board of directors. This policy should be based on a risk assessment. Among the areas the New York Cybersecurity regulation expects covered entities to include in the policy are data governance, asset inventory and device management, access controls and identity management, business continuity, customer data privacy, and third-party service provider management.

3) Appoint a Chief Information Security Officer

Covered entities that don’t already have a chief information security officer (CISO) are required to designate “a qualified individual responsible for overseeing and implementing the covered entity’s cybersecurity program and enforcing its cybersecurity policy.” The CISO may be an employee of the covered entity or an affiliate, or an organization may use a third-party service provider.

4) Perform penetration testing and vulnerability assessments

This is one of the 23 NYCRR 500 provisions that leaves almost the entire implementation up to the covered entity. All are required to either continuously monitor or do periodic penetration testing and vulnerability assessment to determine the effectiveness of their cybersecurity program.

5) Audit

In response to cybersecurity events that have a reasonable likelihood of materially harming any material part of the normal operations, a covered entity must be able to do an audit trail. The organization should also be able to reconstruct financial transactions sufficient to support normal operations.

The deadline for full compliance for this section of the regulation is September 1, 2018.

6) Manage access privileges

The regulation requires covered entities to limit access privileges to non-public information and to periodically review those privileges.

7) Ensure application security

Covered entities must have written processes and standards to ensure secure software development practices. This includes evaluating and testing software developed by a third party. Those processes and standards must be periodically reviewed the CISO or a qualified designee.

8) Perform a risk assessment

Every organization, whether covered under this regulation or not, should perform risk assessments to determine their organizations weak spots. The risk assessment is however a core function for any organization that needs to be compliant with 23 NYCRR 500. It requires covered entities to build its cybersecurity plans, policies, and processes around the outcomes of the risk assessment. They must repeat the assessment periodically and each organization must allow for revision of controls to respond to technological developments and evolving threats.

The regulation requires organizations to document and conduct assessments in accordance with written policies and procedures. Guidance given on those policies and procedures is vague and includes:

  • Criteria for the evaluation and categorization of identified cybersecurity risks or threats
  • Criteria for assessing the confidentiality, integrity, security, and availability of information systems and non-public information
  • Requirements for how identified risks will be mitigated or accepted

The deadline for compliance with this section of the regulation is September 1, 2018.

9) Use qualified, knowledgeable cybersecurity staff

Security staff—employees or contracted—must be sufficient to manage the covered entity’s risk and core cybersecurity functions. Covered entities must provide security updates and training to security personnel, and they must verify that security personnel are maintaining their knowledge of current threats and countermeasures.

10) Develop a third-party service provider security policy

The regulation requires organizations to evaluate the risk posed to their information systems and data by third-party service providers as part of their overall risk assessment. They must hold those providers to a minimum security standard, which will be determined through a due diligence process. That standard must be written into the contract between the organization and the provider. Covered entities must also periodically evaluate the risk presented by third-party providers. This means you will have to ensure that every vendor, provider, or contributor to your organization is compliant with your security standards.

The deadline for full compliance with this section of the regulation is March 1, 2019.

11) Implement multi-factor authentication or risk-based authentication

Each covered entity must evaluate its risk to determine which controls to use to protect against unauthorized access. Multi-factor authentication (MFA) is required for external access to the organization’s networks unless it has written permission to use a reasonably equivalent or more secure alternative.

12) Limit data retention

Covered entities must be able to securely delete any non-public information that is no longer necessary for business purposes. Data that is required to be saved by law or regulation is exempt.

The deadline for compliance with this section of the regulation is September 1, 2018.

13) Monitor authorized users and train personnel

The New York Cybersecurity Regulation requires organizations to implement risk-based monitoring of the activity of authorized users for unauthorized access to non-public information. All personnel must receive periodic security awareness training.

The deadline for compliance with the requirement to monitor authorized users is September 1, 2018.

14) Encrypt non-public information

Organizations must implement controls, including encryption, to protect non-public information held or transmitted by the covered entity bot in transit over external networks and at rest. This can be particularly challenging and the DFS is allowing some flexibility with this regulation. It allows organizations to use effective alternative compensating controls if encryption is unfeasible as long as the CISO reviews those controls annually.

The deadline for compliance with this section of the regulation is September 1, 2018.

15) Create an incident response plan

Each organization must have a written incident response (IR) plan that defines:

  • The internal processes for responding to an incident
  • The goals of the IR plan
  • The roles, responsibilities and levels of decision-making authority
  • External and internal communications and information sharing
  • Requirements for remediation of any identified weaknesses in the information systems or controls
  • Documentation and reporting on security events and IR activities
  • How to evaluate and revise the IR plan following an event

This regulation is the first of its kind and it is expected that many states will use this regulation as a baseline for their own state cybersecurity policies. It is not expected that the federal government will release any cybersecurity legislation. This will make doing business between states challenging if policies are not standardized. The time to develop your cybersecurity strategy is now. Datasmith is ready to help you develop a strategy that meets regulations and keeps your business safe.

Share