New York State Department of Financial Services – 23 NYCRR 500 – ‘CyberSecurity Requirements for Financial Services Companies’
Yes, that title is a serious mouthful! In this post I want to give a quick overview of what this new law states and requires as it was just released today! Like most legal documents it can be a little verbose and has a relatively illogical flow if you’re in the Cyber Security field (many times jumping between topics). I hope to make it a little clear and easy to quickly digest.
For the official language check out:
In summary the law requires Regulated Financial Institutions to create a cybersecurity program based on Risk Management, document cybersecurity related policies and procedures and protect the CIA of ‘Non Public’ data. This requirement goes into effect on March 1st of 2017 at which point Covered Entities have 180 days to comply!
If you’re familiar with HIPAA this new law sounds very similar, you can basically just replace ePHI with ‘non public data’ and you have a good understanding of the new law, with a few interesting exceptions. Keep in mind I’m greatly paraphrasing here but it basically says:
- Appoint a CISO
- Perform a Risk Assessment (and update as necessary)
- Make Risk Management the core of your security decisions
- Document all policies and procedures
- Write an Incident Response Plan
- Perform Penetration testing & Vulnerability Assessments
- Train ALL your people on a regular basis
- Train your cybersecurity folks with updated technical training
- Implement a secure SDLC for home grown apps
- Monitor your assets and create audit trails
- Document BCP/DR Plans and requirements
- Ensure Third Parties and Vendors are secure and securely access your data
- Limit user privileges
- Securely destroy unnecessary data
Most Interesting Nuggets
Annual penetration testing is required UNLESS you have a complete monitoring system! This doesn’t really make a whole lot of sense to choose one or the other. They’re both completely integral parts of a defense in depth strategy. Hopefully this language will be tweaked and clarified with guidance documents from the state.
A CISO must be appointed and the CISO can be a third party! This is great, makes perfect sense. Kudos Cuomo! I’m not being sarcastic, I’ve seen too many places appoint an unqualified internal person only because they don’t believe it’s accepted in the industry to outsource this role.
It seems to stress that you use ‘qualified cybersecurity professionals’ and that you regularly train them and ensure they’re knowledge is up to date. This is also really great that it specifically calls out training your cybersecurity folks.
There’s a lot of well written requirements related to ensuring that the vendors and third parties which access the systems housing ‘non public data’ must be compliant with security standards, tested and verified. It also includes a few nice pointers for technologies to secure third parties like multi factor authentication, risk based authentication and encryption technologies.
Human Readable Requirements:
Following is a plain language version of all the core concepts in the law:
- Maintaining a ‘Cybersecurity Program’ to protect the CIA of Information Systems
- CS Program based on Risk Assessment
- Risk assessment to include Internal and External cybersecurity risks
- Use technology and documented policies and procedures to protect ‘Non Public’ Data
- Monitor for Cybersecurity issues
- Incident Response
- Business Continuity / Disaster Recovery
Designate a ‘qualified individual’ as CISO
CISO may be employed by an affiliate or Third Party Service Provider!
CISO must report IN WRITING at least ANNUALLY to board of directors at least the following: Confidentiality of non public data, policies and procedures, overall effectiveness of program, material incidents and events.
Policies should be based on the findings of the Risk Assessment. Policies must be maintained, documented and approved by a Senior officer OR the board of directors. Policies should include the following as deemed fit:
(1) information security;
(2) data governance and classification;
(3) asset inventory and device management;
(4) access controls and identity management;
(5) business continuity and disaster recovery planning and resources;
(6) systems operations and availability concerns;
(7) systems and network security;
(8) systems and network monitoring;
(9) systems and application development and quality assurance;
(10) physical security and environmental controls;
(11) customer data privacy;
(12) vendor and Third Party Service Provider management;
(13) risk assessment; and
(14) incident response.
Monitoring, Testing, Audit & SDLC
If you don’t have ‘effective and continuous monitoring’ you have to perform Annual Penetration Testing AND bi-annual vulnerability assessments.
Must create audit trails of Security related events on Information Systems to support Incident Response
Limit user privileges to systems with non public data.
Implement WRITTEN documentation for Secure SDLC of in-house applications.
Monitor activity of authtorized users and detect unauthorized access
All the text for performing a risk assessment is pretty boilerplate and defines what you would expect. Identify risks to CIA of systems based on weaknesses in security controls, document how you’ll address those issues and do it!
Personnel & Training
Utilize ‘qualified cybersecurity’ personnel
Provide them with training and updates
Verify your people maintain their knowledge
Provide updated and regular cybersecurity awareness training for ALL personnel
Vendors & Third Parties
Third parties that have access to non public data must have documented policies for security.
- Perform risk assessment of third party service providers
- Minimum security expectations and requirements of third parties
- Perform Due diligence your third parties are following requirements
- Periodic security assessments of third parties
- Use multi-factor auth for third parties as required
- Use encryption as required with third parties (in transit and at rest)
- Requirement for third party to notify company of security issues
Multi factor authentication or risk based authentication
Must use multi factor auth to access internal network from an external network UNLESS the CISO has approved in writing ‘reasonably equivalent’ controls!
Encryption (In Transit & At Rest)
If it’s not feasible to encrypt network traffic over EXTERNAL networks or data at rest the CISO can document and approve ‘effective compensating controls’. If you use alternate encryption controls you have to review it at least annually.
A written Incident Response Plan which includes the following:
- The INTERNAL process for Incident Response
- The goals of the IR Plan
- Definition of clear roles and responsibilities and levels of decision making authority
- Internal and external communications and data sharing
- requirements for remediation of vulnerabilities identified
- Documentation and reporting of incidents and responses
- Reviewing and revising of the IR Plan
The SuperIntendent must be notified no later than 72 hours after a detected incident that meets one of the following:
- Incidents which must be reported to a government body, self-regulatory agency or other supervisory body
- Incidents which have a reasonable likelihood of of ‘materially harming’ any ‘material part’ of the normal operations of the company
Securely dispose of unneeded data