NYDFS 23 NYCRR 500 – How is compliance measured?
Updated: Aug 13, 2020
(Second in a Three-Part Series of Blog Posts)
Last week we started a three part series on the implications of NY Department of Financial Services (NYDFS) 23 NY Codes, Rules, and Regulations (NYCRR) Part 500, a new set of regulations from the NYDFS that places new cybersecurity requirements on all covered financial institutions (a.k.a entities). To check out that post, click here. In today’s post we will discuss the compliance measurement process, and the Risk Assessment.
A recent survey by the Ponemon Institute reports that 60 percent of respondents (who primarily work in their organizations’ IT, IT security and compliance functions) believe this regulation will be more difficult to implement than GLBA, HIPAA, PCI DSS and SOX. What is unique about NYDFS NYCRR Part 500 is that it obligates entities to comply with more specific and enforceable rules that they currently face. It differs from existing guidance, frameworks, and revelations in several important ways:
Broad definition of protected information
Broad oversight of third parties
Timely destruction of NPI (nonpublic information)
Prompt notification of cybersecurity event (72 hours)
Maintaining unaltered audit trails and transactions records
Annual certification (first submission due on February 15, 2018)
As an NYDFS covered entity, an organization must certify that they have implemented the controls as outlined in the requirements of NYCRR Part 500. In order to certify, the Board of Directors or Senior Officers must have evidence that appropriate governance, processes, and controls in place. This evidence is provided through the Risk Assessment. There are 9 major components of the NYDFS regulation that should drive an entity’s Risk Assessment:
Third-party Risk Management
Vulnerability & Penetration Testing
Logging and Monitoring
It is important to note that the Risk Assessment must be conducted periodically, updated as necessary, and conducted in accordance with written policies and procedures so that it’s a defined and auditable process. Finally, it must be well documented. Meeting compliance will be a challenge for some, even though financial services companies have expected the new cybersecurity regulation for some time. Some of the challenges that we foresee in achieving NYDFS compliance are:
Keeping senior management and key stakeholders involved in the planning and reporting process
Running regular risk assessments, noting deficiencies from each assessment, and adjusting as necessary
Validating that within your technology line-up, you are covered. Are key technologies such as encryption and multifactor authentication in place?
Reporting within 72 hours. As you review your incident process, assess whether you can respond to the reporting requirements for cybersecurity events.
In addition to protecting customer data and fortifying the information systems of financial entities, another major attribute of NYDFS 23 NYCRR Part 500 is its widening the net of regulated data protection. NYDFS is driving organizations to properly secure sensitive Non Public Information, known as NPI. Even though NPI classification is not new (GLBA was one of the first regulations to introduce personal data security data requirements for NPI), the NYDFS regulation has a more prescriptive approach than others – it requires entities to implement policies, procedures, and technologies to comply.
NPI acts as an umbrella over PII (Personally Identifiable Information) and PHI (Protected Health Information). All three data types have their nuances though, so even if you secure your PII and PHI, it doesn’t mean that your NPI is 100% secure and that you’re in compliance. Take some time to evaluate NPI in your organization – see section 500.01.g for the NYDFS definition of NPI.
So, what steps can you take today that will assist your organization in being compliant with NYDFS through the proper protection of NPI? Join us next week for the third and final post, where we discuss why CASB and IAM are two key tech components that can help in your overall compliance strategy for Part 500, and ultimately improve your ability to protect sensitive data and avoid a breach.
Want to find out more? View our on-demand webinar “The Road to CASB: Compliance Challenges & Key Business Requirements” and download our Road to CASB: Key Business Requirements 2.0 Whitepaper, designed to provide you with requirements that you can use as input consideration for your CASB initiative. Have more questions? Contact us to find out how we can help with your security and compliance needs. In the third part of the series, we’re going to showcase the role of Cloud Access Security Broker (CASB) and Identity and Access Management (IAM) – how they protect NPI (Non-Public Information) and support NYDFS compliance. Kyle Watson Partner, Information Security at Cedrus Digital