If you’re even loosely connected to the financial services industry, you’ve no doubt heard about the newest cybersecurity requirements issued by the New York State Department of Financial Services (called 23 NYCRR 500). Though right now these requirements just apply to regulated entities within the jurisdiction of the NYDFS, they’re likely indicative of future regulations to come to industries across the board.
The regulations may seem overwhelming, so we’ve broken them down into an easy-to-understand overhead view.
Why 23 NYCRR 500 Exists
The NYDFS cybersecurity regulations exist because there is a very real threat from “…nation-states, terrorist organizations, and independent criminal actors.” Increasingly, cybercriminals are spending their time looking for technological vulnerabilities they can exploit to gain access to sensitive data information.
The Rules are Thorough and Prescriptive
Because each business is different, with different technological dependencies and components, it would be impossible to define granular regulations. Instead, businesses are required to develop their own cybersecurity program that, “…addresses its risks in a robust fashion.” This is good news because it allows entities regulated by the NYSDFS to maintain autonomy over their cybersecurity program while simultaneously being given the guidance for meaningful data protection.
The following are non-negotiable components of the new regulations:
1. You’ll need a written, approved cybersecurity program
This written policy needs to address everything from information security and data governance to systems and network security and monitoring. The policy needs to be approved by a Senior Officer or a board of directors.
2. You’re required to designate a CISO
The Chief Information Security Officer is responsible for “overseeing and implementing” your company’s cybersecurity policy. The CISO needs to report once a year to the board of directors on the integrity of the business’s information security, cybersecurity risks, and current cybersecurity policies and procedures.
3. You’re required to conduct penetration testing and vulnerability assessments
In addition to continuous monitoring, your company is also required to conduct annual penetration testing and bi-annual vulnerability assessments. These are important to ensure your digital infrastructure can withstand attacks and is as hardened as possible against vulnerabilities.
4. You’ll need to keep records of everything
Keeping careful records of transactions is a hallmark of the financial industry, but now that same fastidiousness needs to apply to cybersecurity. Audit trails must be in place and records must be kept for a minimum of three years.
5. You’ll need to limit access privileges
A system is only as strong as its weakest user. That’s why the requirements mandate restricted user access privileges to information systems. Those access privileges need to be routinely reviewed.
6. You’ll need written guidelines for developing applications
Your company undoubtedly develops in-house apps. Under the 23 NYCRR 500 guidelines, your cybersecurity program needs to include best practices, guidelines, and standards for secure development processes and procedures to ensure those apps adhere to your company’s cybersecurity guidelines.
7. You’ll undergo regular risk assessments
Your company needs to define its “risk appetite:” in other words, what level of risk it is willing to accept and how your cybersecurity program will mitigate that risk.
8. You’ll have to hire cybersecurity personnel
These cybersecurity personnel will need to be trained for your specific cybersecurity policy and will need to know all about the current and changing cybersecurity landscape.
9. You’ll need to develop a third-party service provider security policy
Your company relies on third-party vendors to survive, but those vendors can have their own vulnerabilities. Under 23 NYCRR 500, you’re responsible for identifying and defining third-party vendor risks. (Pro tip: RiskRecon can help identify and continuously monitor third-party risk for you.)
10. You’ll need to embrace multi-factor authentication
Multi-factor authentication requires more than one password or identification to access certain programs, apps, and email.
11. You’ll need to dispose of data securely
Instead of hanging onto data indefinitely, your cybersecurity program needs to define how long you’ll keep data and how you’ll securely dispose of it once the limit has been reached.
12. You’ll need to train everyone
Every employee of your organization needs to be an advocate for cybersecurity. That means providing regular and updated cybersecurity training for all personnel.
13. You’ll need to get better at encryption nonpublic information
All your sensitive (nonpublic) information needs to be encrypted. If the data can’t be encrypted, you’ll need to figure out an alternative to protect the information.
14. You’ll need to figure out what to do if something goes wrong
You need to have a written incident response plan in the event that a cybersecurity event occurs. The plan should include who has decision-making authority and what the goals of the incident response plan will be. You’ll also need to notify the superintendent within 72 hours if a cybersecurity event occurs.
It’s a long list of rules, and companies under the NY State Department of Financial Services have, at the most, two years to bring their cybersecurity practices into compliance. Your company will need to file for certification of compliance annually once compliance is met. To read more about the new requirements, go here.