new york cyber security regulations

New York Cyber Security Regulations: Are You Ready to Implement 23 NYCRR 500?

| by Zackery Mahon

March 1, 2017, marked the day that “23 NYCRR 500” (the New York Cyber Security Regulation) went into full effect for all New York Department of Financial Services (NYDFS) regulated individuals and organizations. These groups are required to adopt programs, policies, and procedures to protect their most sensitive information and assets from cyber security threats. With the compliance clock ticking quickly, these regulated entities should consider how they will address seven of the 16 required controls before the end of August 2017.

This blog provides a quick overview of which specific entities must follow the regulation, individual requirements, and controls that need to be implemented before the first transition deadline. Over the next couple of weeks, we will also discuss how other regulations may overlap with 23 NYCRR 500 and the approaches Delta Risk can take to help DFS regulated organizations meet their compliance needs.

Who Must Comply with the Regulation?

23 NYCRR 500 applies to all individuals and organizations that are regulated by NYDFS. Specifically, the regulation defines these individuals and organizations as any that “operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the [New York] banking law, the insurance law, or the financial services law.” While not noted here, the regulations also apply to state-charted and foreign banks licensed to operate in New York (e.g., Barclays, Deutsche Bank, Goldman Sachs Group).  Additionally, the law also extends to third-party suppliers who process, store, and transmit non-public information associated with these individuals and entities.

That being said, New York has provided partial exemptions from some of the requirements for individuals and entities that have less than 10 employees, less than $5 million in annual revenue, or $10 million in total asset amount at the end of the year.

Partially Exempt Individuals/Organizations

Fewer than 10 employees including independent contractors; or Less than $5 million in annual revenue in each of the last three fiscal years; or Less than $10 million in year-end total assets in accordance with GAAP

Applicable Controls for Partially Exempt Individuals/Organizations

500.02; 500.03; 500;07; 500.09; 500.11; 500.13; 500.17

Requirements Regulated Individuals Must Follow

There are 16 requirements aimed at protecting non-public information within and outside regulated individuals which are listed in the new cyber security law. Some of these requirements will look familiar to organizations that must comply with other industry standards like GLBA, FFIEC, and SOX. However, the 23 NYCRR 500 requirements are more prescriptive than the “general guidance” provided in the standards that are already well-known. While this may be a burden for some, the prescriptive nature of the regulations will provide a clearer picture of what is required and allow smaller organizations to address the controls pragmatically to establish a well-rounded security program and build a security culture within the organization.

The New York Cyber Security Rules outline the following requirements:

  • 500.02 – Creation of an information security program;
  • 500.03 – Documentation of cyber security policies;
  • 500.04 – Designate a CISO to report to board and lead cyber security program
  • 500.05 – Ongoing Vulnerability and Penetration Testing along with continuous monitoring;
  • 500.06 – Implement an audit trail of transaction and security related events;
  • 500.07 – Create a process/procedure to limit access and review privileges to nonpublic information;
  • 500.08 – Creation of procedures, guidelines, standards for developing sure applications and assessing security externally developed applications;
  • 500.09 – Periodic entity risk assessments;
  • 500.10 – Provide cyber security training for cyber security personnel;
  • 500.11 – Implement a third-party service provider security policy;
  • 500.12 – The use of multi-factor authentication technology;
  • 500.13 – A data retention and disposal policy;
  • 500.14 – User access monitoring capabilities and awareness training;
  • 500.15 – Encryption for nonpublic information at both transit and rest; and
  • 500.16 – A written incident response plan; and
  • 500.17 – Notification of cyber security event and annual reporting to superintendent.

Complying with the requirements above involves a significant investment into the people, process, and technology needed to maintain a well-oiled security program. Let’s dive deeper into what should be prioritized.

Which Controls Should be Prioritized?

The 16 controls that individuals and organizations must comply with are aimed at establishing a well-documented security program, implementing controls to maintain the CIA triad for non-public information, maintaining an educated staff, and monitoring vulnerabilities on an ongoing basis. Organizations that have not established a cyber security culture around their people, processes, and technology will have a tougher time complying with the regulation.

Given that many firms will be starting from scratch, the regulation provides structured transition periods for organizations to implement specific controls over time. The timelines described in the regulations are split into six-month increments that allow for gradual implementation of the controls over a 24-month timeframe.

For the first six-month transition period, individuals and organizations must be successful in implementing the following seven controls and requirements aimed at people, processes, and technology (these requirements are for all individuals and organizations that are not considered an “exempt” entity):

  • 500.02 – Creation of an information security program;
  • 500.03 – Documentation of cyber security policies;
  • 500.04 – Designate a CISO to lead cyber security program;
  • 500.07 – Create a process/procedure to limit access and review privileges to nonpublic information;
  • 500.10 – Provide cyber security training for cyber security personnel;
  • 500.16 – A written incident response plan; and
  • 500.17 – Notification of cyber security event and annual reporting to superintendent.

Ramifications for People, Processes, and Technology

People

As indicated above, § 500.04 requires a covered entity to designate a CISO to oversee the security program and enforce policy. With most CISOs commanding a six-figure salary, and a limited pool of candidates to hire from, smaller financial institutions may struggle to achieve this requirement. Additionally, § 500.10 addresses maintaining a well-educated and trained cyber security staff.  This involves taking steps to maintain knowledge of changing threats and countermeasures seen in the current threat landscape. NYDFS is allowing covered entities to leverage third-party experts to serve as these personnel, but there must be a designated point of contact at the covered entity to oversee these relationships.

Processes

In addition to human capital, many financial firms must answer the demands of cyber security process design, implementation, and maintenance. For example, §§ 500.02, 500.03, 500.07, and 500.16 require the development of a security program, cyber security policies addressing 14 separate security areas, access privilege policy and procedures, and a robust incident response plan. Each one of these plans and policies require considerable time and expertise to build, implement, and test. A covered entity may utilize outside experts trained in cyber security policies and processes to assist in the development, implementation, and testing of the polices required by the NYDFS.

Technology

Finally, covered financial institutions and banks are requested to invest money in required technology such as “defensive infrastructure” capable of detecting and responding to cyber events (see § 500.02). Developing an internal security operations center, or purchasing a security information and event management system.

Since the regulation has been active since March 1, 2017, that leaves roughly three months to comply with seven requirements outlined above. As your organization addresses these controls, don’t forget the sub-requirements associated with each of these controls.

Summary

As NYDFS entities begin to implement the seven requirements above, it may make sense to enlist the help of a third-party cyber security partner that can ensure the implementation process is not only efficient but meets all critical controls before the end of August.

Time is of the essence, so whether you need support implementing all or a few of these listed requirements, please feel free to contact Delta Risk for more information on how we can assist with helping secure your organization as a trusted advisor and service provider.

Stay tuned for our next blog to learn about the overlap that exists between GLBA, FFIEC, and 23 NYCRR 500.