In the aftermath of the multiple data breaches, the New York Department of Financial Services (DFS) created 23 NYCRR 500 establishing cybersecurity requirements for financial services companies. Effective March 1, 2017, this regulation is designed to promote the protection of customer information as well as the information technology systems of regulated entities. The company must assess its specific risk profile and design a program that addresses its risks in a robust fashion. Senior management must take this issue seriously and be responsible for the organization’s cybersecurity program and file an annual certification confirming compliance with these regulations. The cybersecurity program must ensure the safety and soundness of the institution and protect its customers.
Companies have to know what data they have, where it resides, how to discover it, properly classify it, and how to delete it. To properly comply with the data retention schedule, you have to know where your data is at all times. It is no longer possible to just build a wall around data. Companies need to get into the data they have so they can better organize and protect it. Then minimize data being stored and reduce the collection of unnecessary new data.
Proper categorization precedes strong data controls. You need to identify what the data is, whether it is personal information, publicly available information, trade secrets, sensitive personal information. Once the data is categorized, it can be future broken down into what is what level of security is required for the data, what can be retained, and what must be deleted. Ardent Privacy’s Turtle Shield software utilizes a data-centric approach to quickly scan and map data to locate and identify and classify all of your data to compliance standards of the regulation. Practicing good data hygiene upfront decreases the risk and liability in the event of a data breach.
Who Must Comply?
All covered entities, which are defined as “any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.”
Covered entities include:
- State-charted banks
- Licensed lenders
- Private bankers
- Foreign banks licensed to operate in New York
- Mortgage companies
- Insurance companies
- Service providers
The regulation focuses on the golden triangle of cybersecurity: people, process, and technology (PPT) to streamline and improve data protection practices. Regulation Sections by PPT:
- Designated person (or 3rd party) to oversee and implement the cybersecurity program
- Cybersecurity Personnel and Intelligence
- Cybersecurity Program
- Cybersecurity Policies (14 specific policies required)
- A written report on the cybersecurity program and cyber risks
- Penetration Testing and Vulnerability Assessments
- Audit Trail
- Access Privileges
- Application Security
- Risk Assessment
- Third-Party Service Provider Information Security Policy
- Limitations on Data Retention
- Training and Monitoring
- Written Incident Response Plan
- Notice to Superintendent
- Multi-factor Authentication
- Encryption of Nonpublic Information
Designated person (or 3rd party) to oversee and implement the cybersecurity program
Each Covered Entity shall designate a qualified individual responsible for overseeing and implementing the Covered Entity’s cybersecurity program and enforcing its cybersecurity policy The Chief Information Security Officer (“CISO”) may be employed by the Covered Entity, one of its Affiliates or a Third-Party Service Provider. The CISO will provide annual reports to the Board and Executives on the cybersecurity program and cyber risks.
Cybersecurity Personnel and Intelligence
In addition to a CISO, each covered entity shall:
- utilize qualified cybersecurity personnel of the covered entity, an affiliate or a third-party service provider sufficient to manage the covered entity’s cybersecurity risks and to perform or oversee the performance of the core cybersecurity functions specified in section 500.2(b)(1)-(6) of this Part;
- provide cybersecurity personnel with cybersecurity updates and training sufficient to address relevant cybersecurity risks
- verify that key cybersecurity personnel takes steps to maintain current knowledge of changing cybersecurity threats and countermeasures.
A covered entity may use a third-party service provider to assist in compliance
(a) Cybersecurity program:
Each covered entity shall maintain a cybersecurity program designed to protect the confidentiality, integrity, and availability of the covered entity’s information systems.
(b) The cybersecurity program shall be based on the covered entity’s risk assessment and designed to perform the following core cybersecurity functions:
(1) identify and assess internal and external cybersecurity risks that may threaten the security or integrity of nonpublic information stored on the covered entity’s information systems;
(2) use defensive infrastructure and the implementation of policies and procedures to protect the covered entity’s information systems, and the nonpublic information stored on those information systems, from unauthorized access, use or other malicious acts;
(3) detect cybersecurity events;
(4) respond to identified or detected cybersecurity events to mitigate any negative effects;
(5) recover from cybersecurity events and restore normal operations and services; and
(6) fulfill applicable regulatory reporting obligations.
(c) A covered entity may meet the requirement(s) of this Part by adopting the relevant and applicable provisions of a cybersecurity program maintained by an affiliate, provided that such provisions satisfy the requirements of this Part, as applicable to the covered entity.
(d) All documentation and information relevant to the covered entity’s cybersecurity program shall be made available to the superintendent upon request.
Cybersecurity Policies (14 specific policies required)
Incudes the requirement for risk assessment, incident response, and others. The regulation does not specify the precise content of each policy must-have.
Cybersecurity event – any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an information system or information stored on such an information system.
Other key definitions can be found here
A written report on the cybersecurity program and cyber risks
- Require Annual report from the CISO to the board or C-Suite
- Report on the cybersecurity program and cyber risks
- Confidentiality of Nonpublic information
- Integrity and security
- Cybersecurity policies and procedures
- Material cyber risks
- The overall effectiveness of the program
- Material cybersecurity events that occurred
Penetration Testing and Vulnerability Assessments
- Monitoring and testing according to the risk assessment in order to assess the effectiveness of the cybersecurity program
- Continuous monitoring or annual penetration tests
- Bi-annual vulnerability assessments
- Testing and assessments are based on the results of the risk assessment
The audit trail is used to detect and respond to cybersecurity events and reconstruct transactions to support normal obligations.
Companies must maintain records for three to five years depending on the section requirements.
Securely maintain systems that, to the extent applicable and based on its risk assessment:
- are designed to reconstruct material financial transactions sufficient to support normal operations and obligations of the covered entity; and
- include audit trails designed to detect and respond to cybersecurity events that have a reasonable likelihood of materially harming any part of the normal business operations
- limit user access privileges to info systems that provide access to nonpublic information
- periodically review access privileges.
- Written procedures, guidelines, and standards for the application.
- Companies must follow secure development practices for in-house software development.
- Procedures for evaluating, assessing, or testing of the externally developed software.
- The security officer or third party must periodically review and update the application security.
Companies must periodically conduct a risk assessment to test the effectiveness of the cybersecurity program. The assessment must follow written policies and procedures and include how risks will be mitigated or accepted. The risk assessment determines how the rest of the cybersecurity program should be set up. The Risk Assessment must be carried out and documented in accordance with the following written policies and procedures:
- Criteria for the evaluation and categorization of identified cybersecurity risks or threats against the info system
- Criteria for the assessment of the confidentiality, integrity, security, and availability of your information systems and nonpublic information, including the adequacy of existing controls in the context of identified risks
- How identified risks will be mitigated or accepted based on the Risk Assessment
- How the cybersecurity program will address the risks
Third-Party Service Provider Information Security Policy
Third parties must have written policies and procedures ensuring the security of Nonpublic information held or accessible by third parties. The compliance requirements include all third-parties with access to a covered entity’s data. Further details can be found here.
Limitations on Data Retention
The cybersecurity program shall include policies and procedures for the secure disposal on a periodic basis of any nonpublic information that is no longer necessary for business operations or for other legitimate business purposes.
Exception: when nonpublic information is otherwise required to be retained by law or regulation, or where targeted disposal is not reasonably feasible due to the manner in which the information is maintained.
Training and Monitoring
- implement risk-based policies, procedures, and controls designed to monitor the activity of authorized users and detect unauthorized access or use of, or tampering with, nonpublic information by such authorized users
- provide regular cybersecurity awareness training for all personnel that is updated to reflect risks identified by the risk assessment.
Written Incident Response Plan
- Designed to allow prompt response to a cybersecurity event
- Allows for a quick recovery from a cybersecurity event
- Review and review regularly or as needed after a cybersecurity event
The plan includes:
- Personnel roles
- Responsibilities and decision making
Notice to Superintendent
This regulation is enforced by the superintendent of the NYS Department of Financial Services. Companies must notify the superintendent as promptly as possible, but no later than 72 hours after determining that a cybersecurity event occurred that is either of the following:
- Cybersecurity events impacting the covered entity of which notice is required to be provided to any government body, self-regulatory agency or any other supervisory body; or
- Cybersecurity events that have a reasonable likelihood of materially harming any material part of the normal operation(s) of the covered entity.
Additionally, covered entities must annually submit to the superintendent a written statement declaring compliance covering the prior calendar year by February 15.
To report a breach, use the NYS Security Breach Reporting Form.
A company that violates the regulation can sustain fines of $250,000 or one percent of total banking assets.
Based on its risk assessment, each covered entity shall use effective controls, which may include multi-factor authentication or risk-based authentication, to protect against unauthorized access to nonpublic information or information systems. Multi-factor authentication shall be utilized for any individual accessing the covered entity’s internal networks from an external network unless the covered entity’s CISO has approved in writing the use of reasonably equivalent or more secure access controls.
Encryption of Nonpublic Information
Based on its risk assessment, each covered entity shall implement controls, including encryption, to protect nonpublic information held or transmitted.
- If encryption of nonpublic information in transit over external networks is infeasible, the covered entity may instead use compensating controls reviewed and approved by the CISO
- If infeasible, the covered entity may instead secure such nonpublic information using effective alternative compensating controls reviewed and approved by the CISO.
- The feasibility of encryption and effectiveness of the compensating controls shall be reviewed by the CISO at least annually.
- Fewer than 10 Employees working in New York State
- Less than $5 million in gross annual revenue in each of the last 3 fiscal years.
- Less than $10 million in year-end total assets, according to GAAP, including all affiliates
These exemptions do not absolve the entity from complying with certain parts of the regulation. The full list of exemptions can be found here.
Covered entities must regularly review their cybersecurity implementations to ensure they are up to date. Additionally, prepare for any new changes or amendments. Entities must go beyond data protection by implementing data minimization to reduce risk, liability, and monetary impact.
The crucial first step of data security compliance is knowing what data you have, then identifying sensitive data and information assets that require protection under the law. Ardent Privacy’s solution provides data risk assessments and automates mapping, identification, and inventory data assets. Ardent Privacy specializes in data minimization and secure disposal, eliminating excess data to reduce liability.
Ardent Privacy articles should not be considered as legal or technical advice on the Insurance Data Security Act, or any specific facts or circumstances. This article is written to express the opinion of the writer and nothing else.