Sensitive data breaches and data loss are major concerns for any organization. The prospect of a financial data breach, however, often results in public panic and can lead to media headlines that destroy a business’s good reputation. In March 2017, the New York State Department of Financial Services released a new cybersecurity regulation for financial service providers, considered to be some of the most rigorous and comprehensive regulatory guidelines for the financial sector. It is the first step toward greater security to protect critical financial data that affects the lives and financial accounts of all individuals and organizations.
What is the NYDFS Cybersecurity Regulation
In March 2017, the New York State Department of Financial Services (NYDFS) released new cybersecurity regulatory requirements for financial service providers with operations in the State of New York. The NYDFS standard, 23 NYCRR 500, is a first of its kind law with the most comprehensive financial sector cybersecurity standards in the industry. The regulation requires the creation and implementation of a cybersecurity program based on risk management. Compliance requires organizations to establish effective comprehensive cybersecurity programs and policies, assign a qualified Chief Information Security Officer (CISO), perform periodic risk assessments and implement various other security controls. The regulation will have impacts in the State of New York, as well as throughout the U.S. and globally.
Does the NYDFS Cybersecurity Regulation Impact Your Business?
If your organization provides financial or insurance services or is a third-party providing services to financial or insurance institutions in the State of New York, you likely meet the definition of a “covered entity” and are required to comply with the NYDFS regulatory requirements. A covered entity is defined as an individual or organization that is required to operate under a license, registration, charter, certificate, permit or accreditation under the banking, insurance or financial services laws of the State of New York, including foreign banks operating in the state.
Covered Entities include the following:
NYDFS provides a few exemptions from compliance with the standards for organizations that meet at least one of the following criteria:
- Have fewer than 10 employees (including independent contractors)
- Have less than $5 million in gross annual revenue in each of the last. three fiscal years from New York business operations.
- Have less than $10 million in year-end total assets calculated under Generally Accepted Accounting Principles (GAAP).
To comply with 23 NYCRR 500, covered entities are required to establish and maintain an effective cybersecurity program and annually certify that they are meeting the regulatory requirements. A thorough, unbiased, enterprise-wide security risk assessment is the foundation for developing and maintaining a cybersecurity program and policies for certification under the NYDFS standard. The NYDFS cybersecurity risk assessment is intended to be a sustainable, recurring process central to identifying security vulnerabilities and the impact from potential security events to determine the level of security and the specific security controls that will be applicable for your organization. Basing regulatory enforcement on an institution’s risk assessment also provides flexibility and scalability in developing an effective cybersecurity program and determining an acceptable level of risk specific to your business.
The NYDFS standard (see section 500.09 for risk assessment guidance) does not require a third-party risk assessment so you may decide to conduct the assessment with internal personnel. Regardless of the method chosen, it is important to ensure your assessors are knowledgeable in the NYDFS regulatory requirements and can be unbiased in conducting the cybersecurity risk assessment. RSI Security can provide your organization with knowledgeable and independent assessors to ensure your NYDFS cybersecurity risk assessment is unbiased, accurate and comprehensive. RSI guidance will ensure the development of an effective rigorous cybersecurity program and policies that easily achieves NYDFS cybersecurity certification.
A high-level implementation schedule with NYDFS Cybersecurity deadlines for NYDFS23 NYCRR Part 500 is listed below. The schedule includes four transitional periods with checklists for compliance:
- March 1, 2017: effective date for final 23 NYCRR Part 500 regulation.
- August 28, 2017: end of the first 180-day transitional period. Covered entities must be in compliance with basic program elements of the regulation unless otherwise specified.
- To achieve compliance by this date requires:
- Establishing an effective cybersecurity program
- Implementing and maintaining a written cybersecurity policy
- Designating a qualified individual as a chief information security officer (CISO)
- Utilizing qualified internal cybersecurity personnel, or personnel from affiliates or third-party providers.
- Establish a written incident response plan
- Submit notification of cybersecurity incidents to NYDFS superintendent within 72 hours.
- To achieve compliance by this date requires:
- February 15, 2018: Submittal of first annual certification under NYDFS is required for Covered Entities on or before this date.
- March 1, 2018: end of a one-year transitional period. For compliance on this date, an organization must:
- The CISO must file a cybersecurity report
- Perform regular penetration testing and vulnerability management
- Perform bi-annual risk assessments
- Provide regular cybersecurity awareness training
- September 4, 2018: end of the 18-month transitional period. For compliance on this date, an organization must demonstrate:
- Maintenance of an audit trail
- Implementation of application security controls
- March 1, 2019: end of the 2-year transitional period.
- Organizations must fully comply with 23 NYCRR 500 with written policies and procedures that protect the security of Information Systems and nonpublic Information.
- NYDFS 500.11 Third-Party Service Provider Security Policy is required with written risk-based policies and procedures structured to protect the security of information system and nonpublic information accessible to or held by third-party service providers.
How does your organization get started with a risk assessment to meet NYDFS regulatory guidelines and achieve NYDFS Cybersecurity Certification? Let’s take a look at risk assessment criteria and risk assessment methodology below:
Risk Assessment Criteria
NYDFS Section 500.09(b) provides specific details for the risk assessment to be conducted in accordance with an organization’s established policies and procedures, which need to include:
- Criteria for the evaluation and categorization identified cybersecurity risks and threats.
- Criteria for assessing the confidentiality, integrity, security, and availability of the covered entity’s information systems and nonpublic Information.
- Criteria for assessing the adequacy of existing controls in the context of identified risks.
- Requirements for establishing how identified risks will be mitigated or accepted.
- Determining methods the cybersecurity program will utilize to address risks (e.g. authentication, access controls, encryption, training, etc.).
The NYDFS criteria clearly demonstrate that the intent of the regulation is for firms to perform a comprehensive, well-documented assessment of risk, specific to your business environment that drives compliance efforts to meet all other components of the regulation.
Risk Assessment Methodology
Long-term sustainability should be a critical part of developing a risk assessment methodology. A one and done approach will not meet NYDFS compliance requirements for certification. Therefore, it is essential to build on and expand a previous year’s assessment to ensure processes and controls developed to address identified vulnerabilities and threats are operational and effective long-term.
Below is a high-level four-step methodology for conducting a successful, sustainable risk assessment that can be tailored and scaled to the specific environment and needs of your organization.
- Identify and classify assets
- Establish an asset inventory appropriate to your unique business environment. Inventory documentation will include hardware and application inventories with descriptions and physical locations, infrastructure diagrams, vendor catalogs, etc.
- Classify assets based on how critical the asset is to ensure the reliability and availability of your network and systems.
- Identify and assess threats: Evaluate your specific business and technology environment for unique threats. While there are standard threats included in every risk assessment (e.g. unauthorized access, misuse of information, data compromise or loss, disruption of service), consider additional threats that may be unique to your organization.
- Determine inherent risk and impact: Determine and rate the impact on your organization if a specific threat occurs.
- High – the impact could be substantial.
- Medium – the impact would be damaging, is inconvenient, however, is recoverable.
- Low – the impact would be minimal or non-existent.
- Analyze mitigating controls and align controls with identified threats: Assess controls for operational effectiveness and align controls with identified threats, including threat detection, prevention, mitigating or compensating controls. Examples of controls include:
- User authentication Controls
- User provisioning Controls
- Risk Management Controls
- Business Continuity Controls
Your organization’s efforts to achieve NYDFS cybersecurity compliance can be coordinated internally with personnel with the broad knowledge and independence to provide an unbiased, effective risk assessment as the foundation for your cybersecurity program and policies. It is important, however, for the executives who sign-off on certification for compliance with the regulation to have full confidence in that certification.
RSI Security can assist your organization with NYDFS Security Compliance and Certification with the knowledge and independence that are critical to developing an unbiased, operationally effective cybersecurity program and policies. RSI can provide excellent support for effective, sustainable annual compliance and certification that protect your systems and nonpublic information today starting your compliance journey with 23 NYCRR 500 and in the future.
As one of the top cybersecurity and compliance providers in the country, RSI Security is dedicated to assisting organizations to comply with applicable regulations such as the NYDFS cybersecurity.
RSI Security can help covered entities get through the process of achieving NYDFS security compliance so they can enjoy the peace of mind of having secure data and avoid devastating consequences. Learn more about how RSI Security can assist in NYDFS compliance and cybersecurity services.