By Kyle Watson, Identity and Access Management and Cloud Access Security Broker Expert, Cedrus
For those of you in organizations subject to NYDFS oversight, you are probably aware of 23 NYCRR 500, a new set of cybersecurity requirements that went into effect this past March for financial services companies operating in New York. Its purpose is to address the heightened risk of cyberattacks by nation-states, terrorist organizations and independent criminal actors.
So who does NYDFS NYCRR Part 500 apply to? If your company operates in New York, the first question you should ask is: Does my company meet the definition of a Covered Entity? According to the DFS website, the following entities are subject to compliance:
- Licensed lenders
- State-chartered banks
- Trust companies
- Service contract providers
- Private bankers
- Mortgage companies
- Insurance companies doing business in New York
- Non-U.S. banks licensed to operate in New York
As the year comes to an end, it is imperative that your organization is ready to comply and file the annual DFS Certification of Compliance, which is due on February 15, 2018.
In Financial Services, you should already have a set of policies, procedures, standards and, guidelines based on a Commons Security Framework (ISO, COBIT, etc.) that allow you to perform risk assessments and comply to regulatory mandates. Policies drive the necessary processes and procedures that govern your day to day operations, enabling your business to be secure and compliant. You should be reinforcing this with all types of people that have access to your systems and data through awareness training during onboarding and on a periodic basis.
There has been an increasing focus on compliance at the data level of protection. NYDFS classifies this data as Non-Public Information. It is necessary for organizations to have data protection strategies in place to protect employees, partners, and customers. The increase of threats and breaches have ignited legislative bodies to subsequently issue regulations to ensure that companies are behaving in a way that mitigates risk. Many new regulations have come into play in recent years. Prior to NYDFS 23 NYCRR 500, there was the EU General Data Protection Regulation (EU-GDPR) in 2016, and Service Org Control (SOC) in 2011 (formerly SSAE16 in 2010 and SAS70 in 1992). A robust risk-based approach to data protection means that your company should have a short distance to get to compliance, but each new regulatory mandate introduces changes that must be considered in data protection, visibility, and reporting to the executive level.
NYDFS started in March 2017, and there was a transitional period that ended in August 2017, with the deadline for filing an extension ending in September 2017. The timeline starts getting more specific as the new year rolls out with the first annual certification due on February 18, 2018. Following the early 2018 deadline is a timeline for implementation of specific components of the regulatory mandate required controls.
The NYDFS 23 NYCRR 500 Timeline
There are five key things that you need to do immediately if you have not done so:
- Appoint a Chief Information Security Officer (CISO) with specific responsibilities
- Ensure that senior management files an annual certification confirming compliance with the NYCRR Part 500 regulations
- Conduct regular assessments, including penetration testing, vulnerability assessments, and risk assessments
- Deploy key technologies including encryption, multi-factor authentication, and others
- Ensure your processes allow you to report to NYDFS within 72 hours any cybersecurity event “that has a reasonable likelihood of materially affecting the normal operation of the entity or that affects Nonpublic Information.”
What makes this new set of regulations unique is that it requires companies to comply with more specific, enforceable rules than they currently use. It also differs from existing guidance, frameworks, and regulations in that it has a broad definition of protected information, an increased oversight of third parties, calls for the timely destruction of NPI (Non-Public Information) and prompt notification of a cybersecurity event (72 hours). Entities are also mandated to maintain unaltered audit trails and transaction records and submit annual certification.
So How Is Compliance Measured?
A recent survey by the Ponemon Institute reports that 60 percent of respondents (who primarily work in their organizations’ IT, IT security and compliance functions) believe this regulation will be more challenging to implement than GLBA, HIPAA, PCI DSS, and SOX. What is unique about NYDFS NYCRR Part 500 is that it obligates entities to comply with more specific and enforceable rules that they currently face. It differs from existing guidance, frameworks, and revelations in several meaningful ways:
- Broad definition of protected information
- Broad oversight of third parties
- Timely destruction of NPI (nonpublic information)
- Prompt notification of cybersecurity event (72 hours)
- Maintaining unaltered audit trails and transactions records
- Annual certification (first submission due on February 15, 2018)
As an NYDFS covered entity, an organization must certify that they have implemented the controls as outlined in the requirements of NYCRR Part 500. In order to certify, the Board of Directors or Senior Officers must have evidence that appropriate governance, processes, and controls are in place. This evidence is provided through the Risk Assessment.
There are nine major components of the NYDFS regulation that should drive an entity’s Risk Assessment:
- Third-party Risk Management
- Vulnerability & Penetration Testing
- Logging and Monitoring
- Access Security
- Multi-factor Authentication
It is important to note that the Risk Assessment must be conducted periodically, updated as necessary, and conducted in accordance with written policies and procedures so that it’s a defined and auditable process. Finally, it must be well documented. Meeting compliance will be a challenge for some, even though financial services companies have expected the new cybersecurity regulation for some time. Some of the challenges that we foresee in achieving NYDFS compliance are:
- Keeping senior management and key stakeholders involved in the planning and reporting process
- Running regular risk assessments, noting deficiencies from each assessment, and adjusting as necessary
- Validating that within your technology line-up, you are covered. Are key technologies such as encryption and multifactor authentication in place?
- Reporting within 72 hours. As you review your incident process, assess whether you can respond to the reporting requirements for cybersecurity events within the required 72 hour period.
In addition to protecting customer data and fortifying the information systems of financial entities, another significant attribute of NYDFS 23 NYCRR Part 500 is its widening the net of regulated data protection. NYDFS is driving organizations to properly secure sensitive Non Public Information, known as NPI. Even though NPI classification is not new (GLBA was one of the first regulations to introduce personal data security data requirements for NPI), the NYDFS regulation has a more prescriptive approach than others – it requires entities to implement policies, procedures, and technologies to comply.
NPI acts as an umbrella over PII (Personally Identifiable Information) and PHI (Protected Health Information). All three data types have their nuances though, so even if you secure your PII and PHI, it doesn’t mean that your NPI is 100% secure and that you’re in compliance. Take some time to evaluate NPI in your organization – see section 500.01.g for the NYDFS definition of NPI.
Being Compliant with NYDFS Through the Proper Protection of NPI
Cloud Access Security Broker (CASB) and Identity and Access Management (IAM) are two key components that can help an organization with its overall compliance strategy for Part 500, and ultimately improve your ability to protect sensitive data and avoid a breach.
CASB is a key security technology for NYDFS compliance
CASB provides critical features necessary in the control strategy for cloud applications:
- Discover what cloud applications are in use as well as where specific data is going to cloud applications, such as PII, PHI, or NPI
- Invoke actions such as alerting the user or blocking a specific app or activity, like upload or download, based upon unusual behavior through user behavior analytics
- Detect data compromises and anomalies and take action while informing other security systems like Security Information and Event Management (SIEM) for event correlation and forensics
- Provide vendor risk analysis and ranking including important items such as recent breaches and incidents, infrastructure used to serve the application, and the vendor’s policies around data ownership and destruction
- Control access over critical cloud apps and data using the context of device, data, location, or other behavioral risk information
- Monitor authorized users to track their application use
IAM is also a key security technology for NYDF
When it comes to IAM, the value lies in Access Privileges and Multi-Factor Authentication. IAM enterprise tools can tie access provisioning to job functions and job roles, which allow you to manage to the minimum necessary/least privilege. They can also provide access attestation features so you can review access to applications with regulated information on a periodic interval, and approve or revoke the access based upon a need-to-know basis. Finally, IAM technology is invoked to trigger the need for Multi-Factor Authentication in applications and services (typically in conjunction with a third-party Multi-Factor Authentication end-user solution such as Google Authenticator or DUO).
CASB and IAM work together to provide critical controls for cloud applications
Achieving and maintaining cybersecurity compliance is a complicated process, but it doesn’t have to be a difficult or stressful one. Find out more by downloading our Road to CASB: Key Business Requirements 2.0 whitepaper, designed to provide you with requirements that you can use as input consideration for your CASB initiative.