Recognizing that the financial services industry is a significant target of cybersecurity threats, the New York State Department of Financial Services (NYDFS) recently promulgated Cybersecurity Requirements for Financial Service Companies (23 NYCRR 500).
If 23 NYCRR 500 applies to your organization, you will need to familiarize yourself with all the details, but in the meantime, here is a summary of the 6 key things every financial institution needs to know about this set of regulations.
1. Who needs to comply?
The regulations apply to every “Covered Entity,” which is defined as “any Person” licensed to operate under banking, insurance, or financial services laws (Sec 500.01(c)). “Persons” can be either individuals or non-governmental entities such as partnerships, corporations, and associations (Sec 500.01(i)), including:
- Commercial banks and trust companies
- Check cashers
- Domestic and foreign representative bank offices
- Health insurers
- Life insurance companies
- Money transmitters
- Mortgage brokers, loan originators, and loan servicers
- Property and casualty insurance companies
- Sales finance companies
- Service contract providers
2. What are the main requirements of the regulations?
The regulations require that each Covered Entity:
- Conduct a periodic Risk Assessment of its Information Systems (Sec. 500.09).
- Design and maintain a Cybersecurity Program, based on the Risk Assessment, designed to protect the confidentiality, integrity, and availability of its Information Systems (Sec 500.02(c)).
- Based on the Risk Assessment, implement and maintain:
- A written Cybersecurity Policy, approved by a Senior Officer of the Board of Directors, setting forth policies and procedures for the protection of its Information Systems and Non-public Information (Sec 500.03).
- A written Third Party Service Provider Security Policy for the protection of such systems and information accessible to Third Parties (Sec 500.11).
- Designate a Chief Information Security Officer (CISO) to oversee the Cybersecurity Program and enforce the Cybersecurity Policy. (Sec 500.04).
3. What should a Cybersecurity Program include in order to comply with these regulations?
For a Cybersecurity Program to comply with the requirements of these regulations, it should include the following:
- Continuous monitoring or periodic Penetration Testing and Vulnerability Assessments (Sec 500.05).
- Audit trails designed to detect and respond to Cybersecurity Events (Sec 500.0(a)(2)).
- Access controls to limit access privileges to systems providing access to Nonpublic Information (Sec. 500.07).
- Written procedures, guidelines, and standards to ensure secure in-house development of applications and for evaluating, assessing, and testing externally developed applications (Sec. 500.08).
- Effective controls (e.g., Multi-Factor Authentication or Risk-Based Authentication) to protect against unauthorized access to Nonpublic Information or Information Systems (Sec. 500.12(a)).
- Risk-based policies, procedures, and controls to monitor activity of Authorized Users and detect unauthorized access, use, or tampering by Authorized Users (Sec. 500.14(a)).
- Controls (e.g., Encryption) to protect Nonpublic Information in transit and at rest (Sec 500.15(a).
- Written Incident Response Plan to promptly respond to and recover from any material Cybersecurity Event (Sec 500.16(a)).
4. What are the reporting and certification requirements?
The regulations include the following reporting and certification requirements:
- The CISO shall report annually to the Board of Directors or Senior Officer on the Cybersecurity Program, Cybersecurity Policies and Procedures, material cybersecurity risks, program effectiveness, and material Cybersecurity Events (500.04).
- The Board of Directors or Senior Officer shall provide a written statement to the New York State Superintendent of Financial Services certifying that the Cybersecurity Program complies with this regulation (500.17(2)(b).
5. When did these regulations become effective?
The effective date was March 1, 2017. The transitional period after which Covered Entities were required to be in compliance ended on August 28, 2017.
And keep in mind, there’s more to come, including the requirement that will come into effect in March 2019 requiring covered entities to have security policy that covers third-party service providers. Check here, for a list of key dates under New York’s Cybersecurity Regulation (23 NYCRR Part 500).
6. How are these regulations enforced, and what are the penalties for failure to comply?
While specific enforcement powers and penalties are not spelled out, the regulation will be enforced pursuant to the superintendent’s authority under any applicable laws. (Sec 500.20).
Final Words . . .
There is more to 23 NYCRR 500 than we have covered in this post, of course, but at this point you should have a clear understanding of the regulations in terms of who is affected, how, and what is required for compliance.
We recommend a risk-based approach to security based on Risk Identification, Risk Assessment, Risk Mitigation, and ongoing Risk Monitoring. Not only does this enable you to define your risk tolerance and put in place an ongoing risk management program, but also, it goes a long way toward addressing the requirements of a number of major compliance frameworks including the regulations addressed in this post.
Stay tuned for updates, and if you would like to learn more about how Threat Stack can help with your security and compliance requirements, feel free to download your free copy of our Fast-Tracking Compliance in the Cloud eBook, or contact us for a demo.