The New York Cyber Security Regulation is now in effect as of August 28th, 2017. If you are a financial institution, you need to comply.
As we previously reported, the New York Department of Financial Services (DFS) set in motion a new cybersecurity regulation, 23 NYCRR Part 500 (pdf), that went into effect on March 1, 2017. This regulation has been designed specifically to protect the personal data collected by banks, insurance agencies and financial services institutions in the event of a cyberattack. Most financial institutions had a 180-day grace period in which to get these policies and procedures in place meaning that as of August 28, 2017 they should be fully compliant.
Requirements for Compliance
Although the regulation outlines what is required in order to meet and maintain compliance requirements, it is still unclear how these policies will be enforced and what types of penalties will be issued in the event of a failure. We may have to wait for the first court rulings under this new cybersecurity program.
In an attempt to reduce confusion and uncertainty, the NYC DFS published a list of FAQs in June 2017. The National Law Review went through and highlighted a few of the requirements and provided their interpretation of how they will be handled.
It is important to note that the cybersecurity policy must be based on the Covered Entity's Risk Assessment, which includes fourteen cybersecurity functions. This includes, but is not limited to: information security, data governance and classification, risk assessment, and incident response. The Federation of Regulatory Counsel has a practical guide that goes into further detail.
At a high level, it is clear that affected institutions will need to comply with and provide the following:
- Security Officer: companies will need to have a Chief Information Security Officer (CISO) in place to set and enforce an internal cybersecurity program and risk assessment
- Penetration Testing: annual penetration testing and bi-annual vulnerability testing to test for weaknesses in a company’s infrastructure
- Audit Trails: used to detect and respond to cybersecurity incidents
- Access Privileges: be able to limit access to internal systems and non-public information
- Risk Assessments: periodic review of systems and procedures to prove they are compliant under the terms of the regulation
- Multifactor Authentication (MFA): ensure MFA protections are in place to protect non-public information
- Data Retention Limits: ability to set time limits on how long non-public data is stored and ensure it is securely disposed of accordingly
- Data Encryption: ability to encrypt sensitive information while both in-transit and at rest
Additional compliance mandates and details can be found in the 23 NYCRR Part 500 (pdf) documentation.
Next Steps Towards a Stronger Security Posture
The NYC Cyber Security Regulation offers a minimum set of standards that financial institutions should follow in order to safeguard their systems and networks. However, keep in mind that complying with this new regulation does not guarantee that your organization is safe from attack.
It will be important to consider new tools that expand cybersecurity to meet compliance requirements. For instance, MOVEit is a tool that encrypts and sets data controls. MOVEit also includes multi-factor authentication to avoid unauthorized access to data.
Even if your business has a cybersecurity policy that goes above and beyond the new regulation, your incident response plan will need to be tested and proven to work in the unfortunate event of a security breach.
The landscape of cyber attacks is rapidly changing, with new, un-predictable and ever-increasingly sophisticated assaults taking place regularly. Do you want to do the bare minimum and hope for the best, or do you want peace of mind by ensuring your network is protected against any new attacks that are thrown at it?
This regulation is a great reason to re-evaluate your current security processes and procedures on an ongoing basis, get a security officer in place to set and enforce policies, invest in more robust technologies to protect your data and develop a set of next steps to keep your business one step ahead and protected from future cyber attacks.