(First in a Three-Part Series of Blog Posts)
Wednesday, September 27th marked the end of the initial 30 day period for filing notices of exemptions for the New York Department of Financial Services’ (NYDFS) Cybersecurity Regulation 23 NY Codes, Rules, and Regulations (NYCRR) Part 500.
For those of you in organizations subject to NYDFS oversight, you are probably aware of 23 NYCRR 500, a new set of cybersecurity requirements that went into effect this past March for financial services companies operating in New York. Its purpose is to address the heightened risk of cyberattacks by nation-states, terrorist organizations and independent criminal actors. So who does NYDFS NYCRR Part 500 apply to? If your company operates in New York, the first question you should ask is: Does my company meet the definition of a Covered Entity? According to the DFS website the following entities are subject to compliance:
Licensed lenders
State-chartered banks
Trust companies
Service contract providers
Private bankers
Mortgage companies
Insurance companies doing business in New York
Non-U.S. banks licensed to operate in New York
As the year comes to an end it is extremely important that your organization is ready to comply and file the annual DFS Certification of Compliance, which is due on February 15, 2018.
In Financial Services, you should already have a set of policies, procedures, standards and guidelines based on a Commons Security Framework (ISO, COBIT, etc.) that allow you to perform risk assessments and comply to regulatory mandates. Policies drive the necessary processes and procedures that govern your day to day operations, enabling your business to be secure and compliant. You should be reinforcing this with all types of people that have access to your systems and data through awareness training during onboarding and on a periodic basis.
There has been an increasing focus on compliance at the data level of protection. Under NYDFS, this data is classified as Non-Public Information. It is necessary for organizations to have data protection strategies in place to protect employees, partners, and customers. Increase of threats and breaches have ignited legislative bodies to subsequently issue regulations to ensure that companies are behaving in a way that mitigates risk. Many new regulations have come into play in recent years. Prior to NYDFS 23 NYCRR 500, there was the EU General Data Protection Regulation (EU-GDPR) in 2016, and Service Org Control (SOC) in 2011 (formerly SSAE16 in 2010 and SAS70 in 1992). A strong risk-based approach to data protection means that your company should have a short distance to get to compliance, but each new regulatory mandate introduces changes that must be considered in data protection, visibility, and reporting to the executive level.
NYDFS started in March 2017 and there was a transitional period that ended in August 2017, with the deadline for filing an extension ending just last month, September 2017. The timeline starts getting more specific as the new year rolls out with the first annual certification due on February 18, 2018. Following the first 2018 deadline is a timeline for implementation of specific components of the regulatory mandate required controls.
The NYDFS 23 NYCRR 500 Timeline
There are 5 key things that you need to do immediately, if you have not done so:
Appoint a Chief Information Security Officer (CISO) with specific responsibilities
Ensure that senior management files an annual certification confirming compliance with the NYCRR Part 500 regulations
Conduct regular assessments, including penetration testing, vulnerability assessments, and risk assessments
Deploy key technologies including encryption, multi-factor authentication, and others
Ensure your processes allow you to report to NYDFS within 72 hours any cybersecurity event “that has a reasonable likelihood of materially affecting the normal operation of the entity or that affects Nonpublic Information.”
What makes this new set of regulations unique is that it requires companies to comply with more specific, enforceable rules than they currently use. It also differs from existing guidance, frameworks, and regulations in that it has a broad definition of protected information, an increased oversight of third parties, calls for timely destruction of NPI (Non-Public Information) and prompt notification of a cybersecurity event (72 hours). Entities are also mandated to maintain unaltered audit trails and transaction records and submit annual certification. In our next post we will discuss the 9 major components of the NYDFS regulation that should drive your Risk Assessment. If you would like to be kept up to date on cloud security issues, please click here to subscribe to our Cloud Security eNews. In the second part of the series, we discuss the compliance measurement process and the risk assessment. Kyle Watson Partner, Information Security at Cedrus Digital