While breaches revealing public information (like pictures or emails) are concerning, the prospect of a financial breach tends to instill a higher level of panic. Additionally, accountability becomes even more important as more of these breaches occur. People want guarantees that their financial information is protected to the greatest extent possible.
Consequently, New York took a step toward greater security by enacting the 23 NYCRR 500 regulation, which focuses on cybersecurity for financial institutions. Do you know about the NYDFS cybersecurity regulations or how they affect you? Find out now with our comprehensive blog post.
What is NYDFS?
In 2017, the New York Department of Financial Services (NYDFS) released the NYDFS Cybersecurity Regulation (23 NYCRR 500). This publication outlines requirements for data storage and breach reporting for banks and financial institutions.
The regulations, while only implemented on a state level, parallel the EU’s General Data Protection Regulations (GDPR), which sought to provide greater transparency to the public regarding privacy. However, the GDPR is much broader and less specific than the NYDFS’ regulation, likely due to the multinational aspect. The NYDFS released the final version of the NYCRR on February 16, 2017, which includes approximately 23 points of compliance.
Who Must Comply?
The regulations target all covered entities, defined as any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.
Specifically, entities that must comply includes:
These are the major groups, but more information and other compliant institutions can be found on the DFS’ website.
However, the regulations do permit some exemptions. Companies with only 10 or fewer employees do not have to comply. Additionally, entities that do not store/process nonpublic information or earn less than $5 million in gross revenue over three years, or less than $10 million in year-end total assets are also exempt from the regulation.
The NYCRR requires many of the aspects recommended by the National Institute of Standards and Technology (NIST). Under the regulation, financial institutions must put in place data protection measures, encrypt transactions/stored data, institute access controls, and conduct penetration testing.
Additionally, cybersecurity operations must be overseen by a Chief Information Security Officer. In order to address breaches, companies are required to have a breach notification process and an incident response plan. Financial institutions must document all of these requirements (i.e., implementation and changes) on a yearly basis, including any weak points and the steps taken to reduce risk.
Top 9 Compliance Requirements
Although the above points summarize the basic stipulations of the NYCRR, the 23 requirements for compliance each have sub-points detailing what must be included in written policies.
However, it is important to note that the regulation does not detail technical specification; rather, it describes broader requirements. This allows each entity to research and utilize software and devices that best suit its needs.
Each violation of the NYCRR can cost a company $250,000. Therefore, review these main (though not all) compliance points to better understand the requirements:
1. Maintain a cybersecurity program.
Any program should be designed based on the results of a risk assessment. First, the cybersecurity program must analyze internal and external threats targeting Personally Identifiable Information (PII)/nonpublic information. One of the key tenants of the NYCRR is information integrity. Second, implement defensive mechanisms (e.g., firewalls). Third, outline detection, testing, and recovery plans. Financial Institutions may utilize affiliates (any Person that controls, is controlled by or is under common control with another Person) for this step, but any affiliate must also comply with the NYCRR guidelines.
2. Develop a cybersecurity policy.
Again, the policy should be built on the results of a risk assessment. A financial institution’s governing body must also review and approve the policy.
Topics covered should be: information security data governance and classification, asset inventory and device management, access controls and identity management, business continuity and disaster recovery planning and resources, systems operations and availability concerns, systems and network security, systems and network monitoring, systems and application development and quality assurance, physical security and environmental controls, customer data privacy, vendor and third party service provider management, risk assessment, and incident response.
3. Designate a Chief Information Security Officer (CISO).
The regulations allow for third party or affiliate CISOs if hiring an internal CISO is not an option. However, if a third party is used, proper oversight must be implemented as well. The CISO’s responsibilities include sending a yearly report to the entity’s governing body (which approved the cybersecurity program). The report should cover policies/procedures effectiveness, risks, and any cybersecurity events (e.g., breaches) over the year.
4. Conduct penetration and vulnerability testing.
The NYCRR recommends a continuous monitoring system. However, if such a system is not viable, the NYCRR requires at least one instance of penetration testing and two vulnerability assessments per year. Both of these measures should focus on known security weaknesses (e.g., from risk assessments or publicly known threats).
5. Leave an audit trail.
First, financial transaction documentation will allow entities to reconstruct past events in the event of a breach or audit. Second, clear records (about system changes, new security policies, breaches, etc.) will help validate operations and compliance claims in the event of an audit. Audit trails may even detect breaches and help with recovery efforts. The regulations require entities to save all financial data for five years and all other audit information for three years.
6. Implement access controls
Compliant entities must implement access controls to protect non-public information. All systems dealing with PII should set access limits on a need-to-know basis.
7. Application security
Application security addresses both in-house development and any purchased applications. For either scenario, compliant entities must keep procedural records, outline guidelines for the development process, and draft qualifications for externally sourced applications. These guidelines should include testing and assessment phases throughout the development or (if externally purchased) lifetime of use. The CISO will periodically review application security procedures and update them as needed.
8. Periodic risk assessments
Periodic risk assessments, addressing information systems, non-public information, and operations, are required. Documentation of these assessments must include evaluation criteria and procedures targeting confidentiality, integrity, security and availability. Additionally, entities must outline procedures for responding to a security breach and mitigating the cybersecurity threats as quickly as possible.
9. Train employees
Train employees to deal with breaches and follow security protocols. After implementing technical security measures, the requirements focus on the human aspect of security, in particular, training.
Personnel hired must be qualified or trained to become qualified to address the cybersecurity risks and oversight that systems will require. Companies should also verify the capabilities of third party and affiliate employees.
Participating in cybersecurity awareness training courses throughout the year will also help improve personnel awareness of the latest techniques or threats targeting their industries. Training may be provided internally or through third- party/affiliate groups. Read more in our related blog article about why your team needs cyber security education.
For further assistance and help for achieving and maintaining compliance, check out RSI Security’s compliance advisory services.
Using Third Parties
Third-party policies are designed to provide clear boundaries and prevent unauthorized access. The NYDFS cybersecurity policy requires companies to draft written policies regarding system and information access. All policies must clearly identify the third party involved and conduct a risk assessment on the listed entity(ies).
Additionally, the policy should outline what constitutes adequate/required security measures for the third party (like a third-party checklist). Although the requirements do not specify a specific timeline, they do note that periodic audits of third parties are necessary.
Beyond the initial assessment, companies must also keep a record of their findings (e.g., record a list of security measures that the third party utilizes). Third parties should be using multi-factor authentication, encryption, and access controls. They must also have response plans.
Dealing with Security Breaches
While preventing security breaches is the primary goal, the regulations also specify that a incident response plan is essential. All compliant entities must have a written incident response plan that includes: an internal response plan, goals, definitive roles and task designations, a clear chain of communication (both internally and externally), remediation requirements, documentation policies, and any necessary revisions to the incident response plan (i.e., after an event occurred).
Having a streamlined response plan will help ensure the breach is patched quickly and notifications are sent promptly. Miscommunication can be the cause of large damages and an irreparably damaged reputation. To lean more about dealing with security breaches, click here or to read the NIST’s Computer Security Incident Handling Guide, click here.
- Data retention – only necessary data should be stored. Compliant entities should periodically review stored information and, if irrelevant, securely dispose of it. This requires having a policy in place for the proper disposal of information and training employees on how to follow such procedures.
- Encryption – Complaint entities must use encryption on non-public data either stored or in transit. If encryption is not an option, the CISO may approve another viable means of data protection. The CISO must also review the protection policies annually.
- Multi-factor authentication – Again, based on a risk assessment, entities should institute a authentication practices specifically designed to make unauthorized access extremely difficult.
The regulations stipulate that multi-factor authentication must be used for any individual accessing the Covered Entity’s internal networks from an external network, unless the Covered Entity’s CISO has approved in writing the use of reasonably equivalent or more secure access controls.
Risks Unique to Financial Enterprises
After the Equifax breach, companies and the public began to fully realize the extent and implications of cyber attacks. DDoS attacks, trojans, and ransomware affect not only operations but also customer loyalty.
For financial institutions, customer loyalty provides stability. Each new breach weakens that stability as customers withdraw their investments fearing another attack. Even though virtually every financial institution will likely deal with a data breach, the controls put in place to protect customer information do play a role in retaining customers.
Furthermore, crucial financial institutions (i.e., section 9 institutions) serve as the groundwork for the U.S. economy. If these institutions were compromised, by a foreign state or individual, the U.S. economy could face serious repercussions. In order to implement the right controls, it helps to know the common threats facing financial institutions.
- ATMs – Serving as a direct link to cash, fraudsters target ATMs using black boxes, skimming devices, malware, and software vulnerabilities. Black boxes allow attackers to control an ATM via an externally connected device. Malware can manifest in different ways, from tracking PINs to executing withdrawal commands. In many cases, monitoring ATM activity closely will help catch such malicious activity, but staying informed about improvements (i.e., new technology/software) in ATM technology will also help prevent such attacks.
- Third Party Vulnerability – With more and more financial transactions occurring online, financial institutions likely work with third parties to develop web and app platforms. With cloud service providers, consider where the data (especially sensitive data) is stored and who has access to it. Also inquire as to what security measures the cloud provider implements.
- Companies may also be contracting data storage (not cloud related) to a third party. In this case, similar considerations apply: who is storing the data and how? Conduct a risk assessment (as noted in the NYDFS regulations) on the third party.Regardless of the role of the third party, financial institutions should properly assess security measures prior to signing a contract and periodically after signing one.Learn more about the top 5 disadvantages of cloud storage and 10 tips for keeping private information secure on the cloud in our related blog articles.
- DDoS Attacks – DDoS attacks can be debilitating to financial institutions and send customers into a panic. For example, customers may not be able to access their accounts online. Internet of Thing(IoT) connectivity has increased the vulnerability of institutions, allowing for a greater number of threat vectors. Any device that accesses bank accounts, whether it be a phone, smart watch, or laptop, provides another avenue for an attacker to initiate a DDoS attack.
The risk assessment serves as the underlying groundwork of the NYDFS cybersecurity regulations. It assists in determining which security controls, policies, and third parties best accommodate an entity’s needs and clientele. To receive assistance with cybersecurity solutions and a risk assessment or to learn more about the NYDFS cybersecurity requirements, contact RSI Security today.