20 July, 2019
BreachLock Guide on NYDFS Cybersecurity Regulation
The level of threat posed to IT systems by attackers with malicious intent (or independent criminal actors), nation–states, and terrorist organizations is exponentially increasing. With the ever-growing attack surface area, cybercriminals are actively looking for vulnerabilities in the technical systems. These vulnerabilities are then exploited to gain access to sensitive electronic data. Based upon this line of thought, the New York State’s Department of Financial Services (NYDFS) promulgated a cybersecurity regulation called Cybersecurity Requirements for Financial Services Companies (23 NYCRR 500).
According to this regulation, it has been designed to protect customer information as well as IT systems of regulated entities. The regulators believe that certain regulatory minimum standards are required, while not being overly prescriptive so that an organization’s cybersecurity program can match the relevant risks and keep the pace with technological advances. This regulation places a significant amount of responsibility on the Senior Management of the organization while at the same time, it specifies that each covered entity must assess its specific risk profile and design a cybersecurity program that addresses its risks effectively.
- March 01, 2017 – 23 NYCRR 500 becomes effective.
- August 28, 2017 – Transitional period of 180 days ends. All the covered entities are now required to comply with the regulation unless otherwise specified.
- February 15, 2018 – All the covered entities are required to submit their first certification before this date, as per section 500.17(b).
- March 01, 2018 – Transitional period of 1 year ends. All the covered entities are now required to comply with the requirements given under sections 500.04(b), 500.05, 500.09, 500.12, and 500.14(b).
- September 03, 2018 – Transitional period of 18 months ends. All the covered entities are now required to comply with the requirements given under sections 500.06, 500.08, 500.13, 500.14(a), and 500.15.
- March 01, 2019 – Transitional period of 2 years ends. All the covered entities are now required to comply with the requirements given under section 500.11.
Definitions for this regulation are given under Section 500.01. Some of the most important definitions are discussed below.
- Covered Entity (500.01(c)): This regulation defines a covered entity as any person or organization which is operating under or is required to operate under any form of authorization (includes permit, registration, license, certificate, accreditation, etc.) under the Banking Law, the Insurance Law, or the Financial Services Law.
- Cybersecurity Event (500.01(d)): Cybersecurity event is defined as an attempt or an act, whether successful or unsuccessful, carried out or executed to gain unauthorized access to, or to disrupt, or misuse an IT system or information stored on such systems.
- Penetration Testing (500.01(h)): It stands for a testing methodology wherein the assessors attempt to circumvent or defeat the security features of an organization’s technical infrastructure by attempting penetration of databases or controls from outside or inside the covered entity’s environment.
- Risk Assessment (500.01(k)): As given under Section 500.09. (discussed in the upcoming section)
- Cybersecurity Program
Under section 500.02, the regulation makes it mandatory for the covered entities to maintain a cybersecurity program designed to protect the confidentiality, integrity, and availability (the CIA triad) of their technical infrastructure. A cybersecurity program designed by a covered entity must be based on its risk assessment. Components of the cybersecurity program, as required by the regulation, are shown below.
Figure 1: NYDFS Cybersecurity Program Components
- Cybersecurity Policy
As per section 500.03, a covered entity shall implement and maintain a cybersecurity policy or a set of policies which is approved by its Management. This policy or set of policies must be based on the risk assessment and should include –
Figure 2: NYDFS Cybersecurity Policy Components
- Personnel & Service Providers
The regulation prescribes that the covered entities must designate a qualified individual as its Chief Information Security Officer (CISO) who will be responsible for overseeing and implementing its cybersecurity program and cybersecurity policy. The CISO must present annual reports to the covered entity’s Management detailing on various aspects of an organization’s cybersecurity, as given under section 500.04(b). In addition, Section 500.10(a) elaborates on the utilization of qualified cybersecurity personnel by the covered entity. It also requires covered entities to provide updates and training to cybersecurity personnel along with verifying that they take appropriate steps to maintain current knowledge of cybersecurity threats, vulnerabilities, and countermeasures. In consonance with this, section 500.14(b) requires a covered entity to provide regular cybersecurity awareness training for all personnel.
As per section 500.10(b), if a covered entity chooses to utilize a third-party service provider for its cybersecurity, it must be in accordance with the requirements given in Section 500.11.
- Risk Assessment
In this regulation, risk assessment has been heavily emphasized. It may not be wrong to say that conducting risk assessment lays down the groundwork for complying with this regulation. Under Section 500.09 of this regulation, every covered entity is required to conduct a periodic risk assessment. There are certain requirements that need to be fulfilled –
- Risk Assessment shall be sufficient to inform the design of the cybersecurity program.
- It shall be updated as reasonably necessary to address changes to the covered entity’s IT systems.
- It must allow the revision of controls implemented by a covered entity to respond to evolving threats and technological developments.
- It must consider particular risks associated with the business operations of a covered entity.
- It must be documented and carried out in accordance with written policies and procedures.
- It must include –
- Criteria for the evaluation and categorization of identified cybersecurity risks or threats being faced by a covered entity
- Criteria for the assessment of the CIA triad and security of a covered entity’s technical infrastructure, along with the adequacy of the existing controls
- Risk Management process describing criteria for risk mitigation, risk acceptance, and how risks will be addressed
- Third-Party Service Provider Security Policy
Every covered entity must implement written policies and procedures designed to ensure the security of IT systems and nonpublic information which is accessible by any third party. These policies and procedures must deal with –
(For the image given below, TPSP refers to a third-party service provider)
Figure 3: NYDFS Third Party Service Provider Security Policy Components
- Encryption of Nonpublic Information
The regulation defines nonpublic information under section 500.01(g) as all information that is not publicly available, and it includes –
- Business–related information of a covered entity whose unauthorized disclosure, access, or use would cause an adverse impact on its business, operations, or security.
- Any information which because of name, number, personal mark, or any other identifier can be used to identify that individual, in combination with one or more of the following data elements –
- Social security number
- Driver’s license number or non-driver identification card number
- Account number, debit or credit card number
- Any security code, access code or password, or any form of authorization that would permit access to an individual’s financial account
- Biometric records
- Any information or data, except gender or age, in any form created or derived from a health care provider or an individual that relates to the mental or behavioral condition of an individual or his family, the provision of health care to any individual, or payment for the provision of health care to any individual.
Under a covered entity’s cybersecurity program, it is required by section 500.15 to implement controls, including encryption, to protect nonpublic information, whether held or transmitted by the covered entity, irrespective of whether the data is in transit over external networks or at rest.
- Incident Response Plan
As per section 500.16, a covered entity shall implement a written incident response plan to promptly respond to and recover from any cybersecurity event which materially affects the confidentiality, integrity, and availability of the covered entity’s IT infrastructure or its business operations. The components of such an incident response plan are shown below.
Figure 4: NYDFS Incident Response Plan Components
Penetration Testing and Vulnerability Assessment for NYDFS Cybersecurity Regulation
Unlike many other regulations where penetration tests and vulnerability assessments are indirectly referred to or interpreted, this regulation directly specifies the requirements for conducting penetration tests and vulnerability assessments under section 500.05. In addition, the regulation also defines penetration testing under section 500.01(h), though it misses out on defining vulnerability assessment.
This regulation states that the cybersecurity program for a covered entity must include monitoring and testing procedures that are designed to assess the effectiveness of its cybersecurity program. These procedures must be developed in line with the risk assessment conducted for the covered entity. It puts a compulsory obligation on a covered entity that –
- Annual penetration tests are to be conducted on the covered entity’s technical infrastructure in line with the risks identified in the risk assessment. These penetration tests can be internal as well as external.
- Bi-annual vulnerability assessments based on the risk assessment, which include any systematic scans or reviews of the technical infrastructure, are designed to identify publicly known vulnerabilities in the covered entity’s technical infrastructure.