In response to the ever-growing threat of cyber-attacks, the New York State Department of Financial Services (NYSDFS) has issued 23 NYCRR 500, which outlines cybersecurity requirements and regulatory minimum standards for financial services companies. It applies to any company subject to the authority of NYSDFS under New York banking, insurance, and financial services law. In it, they urge all “to move swiftly and urgently to adopt a cybersecurity program” as they’ve outlined in the regulation.
Cybersecurity threats are nothing new to the financial sector. Many financial institutions are already pretty far along in their cybersecurity maturity, and have proactively taken steps to protect their private information over and above what GLBA requires. This is largely in response to significant guidance from the FFIEC, including updates to their core examiner’s handbooks over the course of the last three years and the Cybersecurity Assessment Tool released in 2015. However, this first-of-its-kind regulation formalizes the requirements for all covered entities to provide an annual certification of their compliance and imposes penalties for non-compliance.
The Core of 23 NYCRR 500
The core of the cybersecurity regulation is developing a robust risk-based cybersecurity program that protects the confidentiality, integrity, and availability of nonpublic data. The program must be overseen and enforced by a qualified Chief Information Security Officer (CISO), who can either be an in-house employee or a third-party resource.
The Program should:
- Identify and assess cybersecurity risk, both internal and external, that threatens data security or integrity.
- Implement infrastructure, policies, and procedures, so that when an organization experiences a cybersecurity event, they can detect it, respond to it, recover from it, and then report it appropriately.
At the end of the day, it’s really about cyber resiliency.
Assessing Your Cybersecurity Risk and Cyber Resiliency
The new regulations are not prescriptive in nature. There isn’t a one-size-fits-all approach. Instead, the requirements are tied to the institution’s risk assessment. This provides flexibility, but also puts the onus on the institution to determine what an “acceptable level” of risk is for their business.
Assessing and managing cybersecurity risk is no small task. It takes considerable thought and effort, along with a great deal of cybersecurity expertise. When determining risk, the size, scope, and complexity of the organization must be considered. Plus, you must know the internal and external systems that are critical to operations and / or those that process, store, or transmit legally protected or sensitive data.
Undertaking a Cybersecurity Resilience Assessment can help make this process easier. There are tools – including the NIST Framework for Improving Critical Infrastructure Cybersecurity and the Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment – that can provide organizational context for cybersecurity risk and the processes in place to manage that risk.
The result is a roadmap that can help you on your journey to compliance, as well as enhance security and business resilience.
Tips for 23 NYCRR 500 Compliance
Here are some tips to keep in mind as you assess your current program in light of the new regulation.
#1. Having policies and procedures isn’t enough.
The regulation calls for a whole host of policies and procedures. First and foremost is a cybersecurity policy, but there are also stipulations for secure development practices, risk assessments, and incident response planning, to name a few. But it’s not enough that these exist – they must be documented, practiced, and enforced.
#2. Access to cybersecurity expertise is paramount.
We’ve already mentioned that the new regulation requires all covered entities to designate a CISO, a “qualified individual” who is responsible for overseeing and implementing the cybersecurity program, as well as enforcing the cybersecurity policy. But the regulations go even further, having specific requirements for additional cybersecurity personnel and intelligence building, including cybersecurity awareness training along with maintaining “current knowledge of changing cybersecurity threats and countermeasures.”
The good news, especially for organizations that don’t have the budget or a reliable resource for in-house cybersecurity expertise, is that any of the positions can be filled by a reputable third-party. Working with a trusted partner can be a cost-effective way to quickly meet these requirements.
#3. Keep your executives informed.
Cybersecurity is an executive responsibility. They set the tone for the entire organization. Leaders must lead by example when it comes to cybersecurity, and actively participate in, and be supportive of, the mission to be secure.
The NYSDFS regulations make this official. Now a chairperson of the board or a senior officer will need to sign a certification of compliance, stating they have “reviewed documents, reports, certifications and opinion of such officers, employees, representatives, outside vendors” and are in compliance on an annual basis. According to PwC, “Those submitting the certification could potentially be exposed to individual liability if the organization’s cybersecurity program is found to be noncompliant.”
#4. Your third-parties aren’t exempt.
Vendors and third-parties with access to systems housing nonpublic data are specifically called out in the regulations. There are several requirements related to ensuring that they are compliant with security standards, tested on a regular basis, and verified. There are also suggestions to better secure third-parties (as well as the covered entity), such as multi-factor authentication, risk-based authentication, and encryption technologies. Remember, you can outsource the function, but never the responsibility.
#5. Actively hunt down threats every day.
An important part of the Cybersecurity Program outlined in this regulation is the ability to detect when a cybersecurity event occurs. Many studies have shown that the longer a hacker maintains an active presence on your network, the more damage is done. So being able to quickly detect a threat is paramount.
Effective threat detection cannot happen by algorithm alone. It's not enough to have just an automated real-time intrusion detection system. That's why in addition to your typical perimeter and internal network controls, you should proactively look for anomalies on your network every day. Such a task takes someone who is highly trained and up-to-date on the latest threat environment to analyze your network logs on a daily basis.
Additionally, having a system (or service) in place to collect and store logs, as well as to track responses to events, can satisfy the audit requirements within the regulation.
Explore How Tyler Can Help
At Tyler, we’ve been partnering with the financial services sector for nearly two decades, helping them achieve their cybersecurity goals and compliance objectives. We understand that cybersecurity isn’t a one-size-fits-all proposition, which is why all our services are customized based on your unique needs and environment.
We believe that achieving cybersecurity resilience depends on what we like to call the cybersecurity lifecycle – an ongoing cycle of interconnected elements that compliment and reinforce one another. We offer a suite of services to support your entire cybersecurity lifecycle, including program development, education and training, tech testing, advisory services, plus Tyler Detect Managed Threat Detection and Network Forensics Service.
Download 23 NYCRR 500 here.