In January, I wrote about the proposed cybersecurity regulations for New York-based banks, insurance companies and other financial services.
Now those regulations are in effect as of August 28, 2017, and companies must comply with the requirements put in place by the New York Department of Financial Services (DFS).
Additional rules will be phased into effect between 2018 and 2019, according to an article by the law firm Cadwalader, Wickersham & Taft.
Mandatory NY Cybersecurity Provisions
Mandatory provisions include:
- Implementation of a risk-based cybersecurity program - It must have written policies and procedures and an incident response plan.
- Designation of a Chief Information Security Officer (CISO) - This CISO must be qualified and retain security staff that can stay up-to-date with the latest threats and solutions.
- Periodic user access assessments - By conducting a periodic review of who has access to their confidential data and networks, organizations can put limitations in place to secure that access.
- Following the breach incident process - Organizations must report any security events to the DFS within 72 hours - including unsuccessful attacks that may raise concerns.
If you think you might qualify for a limited exemption of the rules (less than 10 employees or $5 million in gross annual revenue, etc.), you have to apply for a Notice of Exemption by Sept. 27, 2017.
The next date to watch out for is February 15, 2018, when all DFS-regulated organizations must submit their first certification of compliance under 23 NYCRR 500.17(b).
Get the full list of key dates under NY’s Cybersecurity Regulation.
Cybersecurity Program Requirements
The regulations require many different components of a cybersecurity program - below is just a summary of each aspect:
- Penetration Testing and Vulnerability Assessments - This requires monitoring and testing, annual penetration testing, and bi-annual vulnerability assessments.
- Audit Trail - Must be designed to reconstruct financial transactions to support normal operations (maintain records for at least five years); audit trails to detect security events (maintain records for at least three years)
- Access Privileges - Limit user access privileges to information systems with confidential information, and conduct a periodic review of those privileges
- Application Security - Must include written procedures, guidelines and standards to ensure secure development for any in-house applications developed for use by the organization; these will be managed by the CISO
- Risk Assessment - The DFS outlines the nee for periodic risk assessments for revisions to controls, policies and procedures for evaluating and identifying threats, risk mitigation plans and more.
- Cybersecurity Personnel and Intelligence - Have qualified cybersecurity professionals (could be third party)that oversee security; update and train them on risks; ensure they’re maintain a current knowledge of changing threats and solutions, etc.
- Third-Party Service Provider Security Policy - Must have policies and procedures to ensure third party security, including risk assessments, minimum security standards, periodic evaluation of third party risk, etc.
- Multi-Factor Authentication - Use effective controls, including multi-factor authentication (MFA) or risk-based authentication. MFA must be used for any user accessing internal networks from an external network.
- Limitations on Data Retention - Include policies and procedures on the secure disposal of confidential information when it no longer is necessary to retain for business.
- Training and Monitoring - Implement risk-based policies, procedures and controls to monitor user activity and access to data; provide regular security awareness training for all personnel.
- Encryption of Nonpublic Information - Implement controls, including encryption, to protect data stored or in transit over external networks. There is an option to use compensating controls in exchange; they must be reviewed and approved by the CISO.
- Incident Response Plan - Establish a written incident response plan designed to respond promptly to and recover from any event that affects the confidentiality, integrity or availability of the organization’s systems or business operations.
To see the full text and specifics of the regulations, check out the Cybersecurity Requirements for Financial Services Companies (PDF).