The DFS Cybersecurity Regulation 23 NYCRR 500 Marathon

August 29, 2017

Table of Contents

    Today’s blog is brought to you by Trevor Smith, EVP of Sales and Marketing at Brite.  Trevor has 20 years of technology experience and a passion for problem solving with cutting edge technologies.

    Monday, August 28th, marked the first deadline in the New York Department of Finance Cybersecurity Regulation 23 NYCRR 500. There have been a lot of questions leading up to this deadline including the level of enforcement by DFS, financial impact of non-compliance, breadth of organizations included and the necessary measures to become compliant.

    These points have lead to a lot of discussions and consulting projects, but sadly have not produced concrete answers. The bottom line is that 23 NYCRR 500 is an official NYS DFS Cybersecurity Regulation and while we do not know the true non-compliance consequences, it is better to play it safe and work towards compliance.

    To help you along your pathway to 23 NYCRR 500 compliance, we have broken down each deadline. In addition, Brite has developed a more detailed Assessment tool for those that still need to gather the information and present it to executive leadership. Please request a sample.

    Deadline 1 – August 28, 2017

    What needs to be in place now (without all the legal confusion).

    Cybersecurity Program

    In the simplest form, a covered entity needs to have a formal documented cybersecurity program in place that identifies and remediates risks and cybersecurity events.

    Cybersecurity Policy

    All covered entities must have a written policy that outlines how non-public data is/will be protected. The Cybersecurity Policy can be thought of as an organization’s plan to compliance.

    Appoint Chief Information Security Officer (CISO)

    One of the simpler elements of the regulation – a covered entity needs to appoint an CISO or outsource the role of CISO to a third party, making them a virtual CISO.

    Have Method in Place to Control Access Privileges

    Control Access Privileges is the only technology implementation component of the first 23 NYCRR 500 deadline. This section of the regulation says that a covered entity needs to have a system in place to limit user access privileges to non-public information. Only those that need to have access to sensitive information should have access.

    Have Qualified Cybersecurity Personnel Internally or Hire a Third Party

    Again, an easy component to compliance. This section simply states that covered entities need to have internal cybersecurity expertise, or hire a third party who has cybersecurity expertise.

    Have an Incident Response Plan

    Every covered entity needs to have a documented process of what to do when a cybersecurity event takes place. Having a written plan is intended to aid an organization in promptly responding and remediating an incident.

    Not too bad, right? Mainly what is needed for the first deadline is documented preparation for the next 3 deadlines. If you are not compliant with any of the above, please reach out to us in the form below for help.

    Deadline 2 – March 1, 2018

    You still have plenty of time – but don’t wait too long to engage with a security expert!

    CISO Annual Report

    The CISO must submit their first annual report to the board or directors (or equivalent governing body) to ensure they are aware of the organization’s cybersecurity climate.

    Penetration Testing and Vulnerability Assessments

    The first internal penetration testing and vulnerability assessments must take place. Penetration testing must then be done annually and vulnerability assessments must be done bi-annually.

    Risk Assessment

    The results of the penetration tests and vulnerability assessments should be reviewed and guide any edits to the cybersecurity program and policy. The periodic risk assessment insures that an organization is adapting as new threats emerge.

    Multi-Factor Authentication

    To access non-public information, organizations must implement multi-factor authentication to ensure that only those who should be accessing information are accessing it. The rule of thumb is to have one element of the authentication be something you know (a password) and something you have (a finger print, text message code, ect).

    Training and Monitoring (Part B)

    With the sensitive nature of financial institutes’ data, authorized users need have formalized training on cybersecurity awareness and best practices. A single employee (especially if a privileged user) clicking on a bad link can cause a headline making breach.

    As you see, the second deadline does require some technology components. There are many options that satisfy the regulation and can add to the security of your organization. Brite partners with multiple solutions providers and can match you with the best tool for your organization and budget.

    Deadline 3 – September 1, 2018

    This is when the bulk of technology needs to be implemented, if not already a part of an organization’s cybersecurity strategy.

    Audit Trail

    A covered entity must maintain the records for 5 years that will allow them to reconstruct financial transactions to support normal operations in case of an incident. Additionally, an audit trail should be sufficient to designed to detect and respond to cybersecurity events.

    Application Security

    For any in-house built applications, a written guideline must be followed to ensure the security of that application. Vulnerabilities in an organization’s application can be exploited and used to access non-public information.

    Limitation on Data Retention

    A covered entity must have policies and procedures (and often a tool) to ensure the secure disposal of non-public information after the designated record retention period. The disposed information, though not still relevant to the organization, may still have information that cybercriminals would love to access!

    Training and Monitoring (Part A)

    Training can deter many cybersecurity events, but not all. Therefore, a tool is also needed to monitor unusual use patterns of authorized users to ensure account were not breached.

    Encryption of Non-Public Information

    All cover entities, based on their Risk Assessment, must utilize encryption to protect nonpublic information that they hold or transmit, both in transit over external networks and at rest. The CISO should review the effectiveness of encryption at least annually.

    The third deadline is the most technology heavy section and will probably need budget planning to achieve compliance. Again, a vast array of tools can help an organization become compliant in each section. Your security experts at Brite are here to help navigate the sea of tools with you.

    Deadline 4 – March 1, 2019

    The last and shortest of the deadlines in the NYS DFS Cybersecurity Regulation 23 NYCRR 500! Though only one item, this will by far be the hardest to comply with due to the many involved parties.

    Third Party Service Provider Security Policy

    Each organization must implement and enforce written cybersecurity policies and procedures for third party service providers that have access to non-public information systems. The covered entity assumes liability of the non-public information accessed by third parties and therefore needs to ensure proper handling of that information by third parties.

    Certainly the most logistically challenging to manage, but third parties must be held to the same standards of cybersecurity after seeing how an HVAC company cybersecurity faults assisted in the Target breach. Our suggestion is to work with key third parties significantly before the deadline to ensure compliance by March 1, 2019. Not sure where to start? Ask Brite and we will get you started on the right path.

    NYS DFS Cybersecurity Regulation 23 NYCRR 500 is a marathon, not a sprint. You may need to sprint to compliance on for the first deadline, but Brite will be your training partner for the entity of your compliance journey to ensure you cross the finish line by the March 1, 2019 date. Fill out the form below for your personal partner in the cybersecurity regulation marathon.

    dfs