New York’s Cybersecurity Regulations
This month (March 2017), the New York State Department of Financial Services introduced new cybersecurity requirements applying to financial services companies operating within the State of New York.
These requirements mostly reiterate existing Federal regulation within the financial services sector. Through adherence to Federal Financial Institutions Examination Council (FFIEC) standards and the Financial Privacy Rule of the Gramm–Leach–Bliley Act
(GLBA), the additional burden imposed by these new rules should be minimal.
Below is brief mapping of the New York State rules to existing requirements (500.01 Definitions had been intentionally omitted):
• 500.02 - Cybersecurity Program - generally covered by GLBA and FFIEC IT Examination Handbook - Information Security.
• 500.03 - Cybersecurity Policy - generally covered by GLBA and FFIEC IT Examination Handbook - Information Security.
• 500.04 - Chief Information Security Officer - CISO specific role is covered generally by GLBA. The FFIEC IT Examination Handbook - Information Security also requires ownership at a sufficient executive level. The new requirements specifically call out the need for this specific role and title to be assigned.
• 500.05 - Penetration Testing and Vulnerability Assessments – covered by FFIEC IT Examination Handbook - Information Security (performing penetration testing), PCI standards (penetration testing program), and OCC Third Party Memo 2013-29 (mitigation based on penetration testing).
• 500.06 - Audit Trail - covered by virtually all the FFIEC handbooks; specific audit retention for 5 years may be new to some organizations; recreating transactions is part of existing FFIEC Disaster Recovery and id’s referenced by the latest OCC notice of proposed rulemaking.
• 500.07 - Access Privileges – covered by FFIEC IT Examination Handbook - Information Security
• 500.08 - Application Security – covered by FFIEC IT Examination Handbook - Information Security.
• 500.09 - Risk Assessment – covered by the body of existing FFIEC guidance.
• 500.10 - Cybersecurity Personnel and Intelligence - this is generally tested within existing guidance when discussing the establishment of a cybersecurity program, however the NY DFS requirements are more specific and prescriptive - this may need additional review for many organizations to ensure coverage.
• 500.11 - Third Party Service Provider Security Policy - generally covered by OCC Third Party Memo 2013-29 and the FFIEC IT Examination Handbook - Information Security.
• 500.12 - Multi-Factor Authentication - this section is more prescriptive than most existing sources, but is generally covered under FFIEC IT Examination Handbook - Information Security.
• 500.13 - Limitations on Data Retention – covered by FFIEC IT Examination Handbook - Information Security.
• 500.14 - Training and Monitoring - this section is also more prescriptive than most existing sources, but is generally covered under FFIEC IT Examination Handbook - Information Security.
• 500.15 - Encryption of Nonpublic Information – covered generally by FFIEC IT Examination Handbook - Information Security.
• 500.16 - Incident Response Plan - covered generally by FFIEC IT Examination Handbook - Information Security.
• 500.17 - Notices to Superintendent – covered by Bank Secrecy Act, FFIEC IT Examination Handbook - Information Security, and existing state laws for breach notification generally.
As discussed above, the new regulations provide slightly more prescriptive requirements in sections 500.10 and 500.14 dealing with qualified cybersecurity staff and staff training and monitoring of staff activity, respectively.
Section 500.12 also provides additional requirements related to the access of internal networks originating externally to the organization that may be more prescriptive than existing regulation. However, many institutions have already taken steps to provide two factor authentication in response to the evolving threat landscape and existing regulatory oversight. The new rules also provide for the user of alternate means of risk management based on the approval of the CISO.
While these new regulations only refer to the Covered Entities’ operations, use of “cloud” and service providers mean firms need to understand the extension of risk management into those operations. Firms should focus their energies on understanding risks posed by the security practices of any third party provider. Like other third party service providers, it is critical to assess the benefits received against the risks posed by use of the provider’s services. Where possible, direct validation should be used to assess risks, but at a minimum the organization should consider contractually mandated third-party attestation of controls in order to regularly assess the provider’s continued commitment to meeting the organization’s risk management expectations. In addition, it is critical that the organization seek and evaluate peer-provided or openly-available risk intelligence sources to assess alignment of the third party with the organization’s operational risk appetite.
Again, this new set of requirements is fully aligned to the continued commentary that we hear coming from other regulators and should not prove to be a major surprise to institutions already working to comply with existing regulations.