On March 1, 2017, New York Department of Financial Services (NYDFS) released their cybersecurity requirements for financial services companies and their third-party providers. Whether based in New York or not, organizations conducting business or hosting information (“Covered Entities”) related to New York banking, insurance, and financial services industries must comply with these regulations—the only exceptions are national and federal banks, which have been excluded. And while some exemptions do apply, every organization should still consider adopting a cybersecurity framework.
Upon initial release, NYDFS issued a 180-day transitional period (which ended on August 28, 2017) stating that in order to comply, Covered Entities must:
- Establish a Cybersecurity Program designed to protect the confidentiality, integrity, and availability of information systems (500.02(a))
- Implement and approve written policies and procedures based on the Risk Assessment for the protection of information systems and nonpublic information (500.03)
- Appoint a Chief Information Security Officer (CISO) to oversee the cybersecurity program and applicable third-party providers (500.04)
- Limit user access privileges to nonpublic information and review access rights on a periodic basis (500.07)
- Staff qualified cybersecurity personnel and provide training sufficient to address cybersecurity risks (500.10)
- Establish an Incident Response Plan to promptly respond to and recover from a cybersecurity event (500.16)
- Begin notifying the NYDFS superintendent of cybersecurity events (500.17)
While these criteria are not required to be completed during the transitional period, covered entities should still seek to complete a risk assessment over their scope of services. Such a step is critical for the development of a complete cybersecurity program, cybersecurity policies, and access privilege restrictions, specific to the company's information systems and nonpublic information.
So, what’s next?
New York State’s website can be a resource on the series of deadlines for the regulation, which can help generate a timeline for the progress of a compliant cybersecurity program. Covered Entities are required to submit their first certification in accordance with 500.17(b) prior to February 15, 2018—all the aforementioned items must be implemented by that point. However, while completing those practice in their specific programs, organizations should also work to begin implementing the following requirements that are required by the second deadline of March 1, 2018:
- Report to the Board of Directors or equivalent by the CISO regarding the status of the cybersecurity program, risks identified, and prospective action plans of said risks (500.04(b))
- Implement periodic penetration testing and (not “or”) vulnerability scans to detect potential vulnerabilities (500.05)
- Complete a risk assessment around information systems that maintain nonpublic information. The risk assessment is the backbone of the cybersecurity program and should be re-performed as necessary, but no less than bi-annually. Covered Entities should define criteria around confidentiality, integrity, security, and availability of nonpublic information and result in change of the controls process to address identified threats (500.09).
- Implement multi-factor authentication when accessing information systems from an external source (500.12)
- Complete cybersecurity awareness training to all employees (500.14(b))
The one-and-a-half-year mark from when the regulation was first released is the deadline to implement the remainder of the requirements. By September 3, 2018, Covered Entities need to address:
- Audit trails that include sufficient detail detection and response of cybersecurity events and are configured to meet minimum retention policies (500.06)
- Ensuring information systems hosting nonpublic information – whether internal or external – are subject to secure development practices (500.09)
- Implementation of proper data disposal and retention (500.13)
- Implementation of controls supporting the monitoring of user access and detect the modification of nonpublic information (500.14(a))
- Ensure encryption of data while in transit and at rest on company information systems is in place (500.15)
Finally, the last deadline is not one to not be taken lightly comes as the two-year transitional period ends. By March 1, 2019, Covered Entities must be able to report all third-party providers with access to nonpublic information meet minimum cybersecurity practices (500.11), and one should assume NYDFS would expect those practices to align with their regulations. Organizations must remember that soliciting a third party does not eliminate your risk - it only migrates it. CISOs will be required to speak on behalf of their vendors in stating that enough due diligence was performed by the Covered Entity to gain assurance that information systems are properly secured to maintain the confidentiality, integrity, and availability of sensitive data.
It has become clear that an organization-specific cybersecurity program is becoming more and more essential across all industries, and as more companies aim to protect more critical data, more regulation will emerge. And whether or not an organization is based or does business in the state, New York’s Department of Financial Services has provided a new series of criteria and deadlines that can help any entity begin the progress of a general cybersecurity framework.
About the AuthorMore Content by Collin Varner