NYDFS Cybersecurity Regulation Q&A
Last winter, Governor Andrew M. Cuomo announced the first-in-the-nation cybersecurity regulation to protect New York’s financial services industry and consumers. You can read more about the announcement regulation in our previous article
. That deadline is quickly approaching for covered entities to comply with the New York State Department of Financial Services (“DFS”) Cybersecurity Regulation.
Below are some preliminary questions and additional key questions that your organization should be asking themselves.
For those of you unfamiliar with the New York’s Cybersecurity Regulations, some preliminary information can be found in the questions and answers below. If you’re familiar with the regulations, continue to part II:
Part I: Preliminary Questions and Answers
Prelim Question 1: What is New York’s Cybersecurity Regulation?
The New York State Department of Financial Services created a requirement for organizations it oversees to establish a minimum cybersecurity risk management program as a result of the growing risks associated with cybersecurity. The New York Cybersecurity Regulation was issued under Part 500 of Title 23 of the Official Compilation of Codes, Rules and Regulations (23 NYCRR 500). The full New York State Department of Financial Services (“DFS”) Cybersecurity Regulation can be found at https://www.dfs.ny.gov/legal/regulations/adoptions/dfsrf500txt.pdf. The Regulation became effective on March 1, 2017.
Prelim Question 2: What organizations need to comply with the DFS Cybersecurity Regulation?
Any regulated institution under New York State Department of Financial Services (DFS) is required to comply. Institutions that are supervised by DFS can be found on the DFS website at https://www.dfs.ny.gov/about/whowesupervise.htm.
Prelim Question 3: Do all institutions need to comply with all of the components of the DFS Cybersecurity Regulations?
No. All covered entities need to comply with a minimum set of requirements; however, there are several factors that, if applicable to an institution, would allow them to file for a limited exception from some of the requirements. The limited exception, listed in Section 500.19 of the DFS Cybersecurity Regulation is applicable for Covered Entities with:
- (1) fewer than 10 employees, including any independent contractors, of the Covered Entity or its Affiliates located in New York or responsible for the business of the Covered Entity, or
- (2) less than $5,000,000 in gross annual revenue in each of the last three fiscal years from New York business operations of the Covered Entity and its Affiliates, or
- (3) less than $10,000,000 in year-end total assets, calculated in accordance with generally accepted accounting principles, including assets of all Affiliates,
Additional exceptions are allowed based on if the Information Systems are accessible by the entity and if the entity does not directly or indirectly have access to Nonpublic Information other than information relating to its corporate parent company (or Affiliates).
The deadline for filing for an exception past as of October 30, 2017.
Part II: Additional Key Questions and Answers
Now that you have a preliminary understanding of the NYDFS Cybersecurity Regulation, here are some additional answers to common questions.
Question 1: What are the upcoming key dates to comply with the DFS Cybersecurity requirements, and what is required of my organization to be in compliance.
The key upcoming dates to remember are as follows:
- February 15, 2018 – Covered Entities are required to submit the first certification under 23 NYCRR 500.17(b) on or prior to this date. This requires that covered entities submit a written statement covering the prior calendar year certifying that the entity is in compliance with the requirements set forth within the Cybersecurity Regulations that are applicable (not inclusive of those elements that allow for a transitional period). In the event material improvements are needed, the written statement must identify the improvements required and the actions and timing to perform the remediation efforts. The format of the written statement is provided in Appendix A of the Regulation.
- March 1, 2018 – One-year transitional period ends. Covered entities are required to be in compliance with the requirements of sections 500.04(b), 500.05, 500.09, 500.12 and 500.14(b) of 23 NYCRR Part 500. From a high level, these related requirements require that the following be completed by March 1, 2018:
- 500.04(b): That the assigned Chief Information Security Officer has provided a written report on the covered entity’s cybersecurity program and material cybersecurity risks to the Board of Directors or equivalent governing body.
- 500.05: A penetration testing and vulnerability assessment program be established whereby penetration testing is performed on an annual basis and vulnerability assessments are performed on a bi-annual basis.
- 500.09: A risk management program be established whereby a risk assessment is performed on a periodic basis to identify risks and ensure that controls have been established to mitigate them.
- 500.12: Multi-factor authentication mechanisms have been established to protect against unauthorized access to nonpublic information or information systems.
- 500.14(b): A cybersecurity awareness training program be established, and all personnel trained based on the content within the program.
- September 3, 2018 – Eighteen-month transitional period ends. Covered Entities are required to be in compliance with the requirements of sections 500.06, 500.08, 500.13, 500.14(a) and 500.15 of 23 NYCRR Part 500, which are summarized below:
- 500.06: Mechanisms to be established to allow for the covered entity to retain an audit trail for a period of no less than five years.
- 500.08: Mechanisms to be established to assess both internally and externally developed application security, for any applications utilized within the institution’s technology environment.
- 500.13: Policies and procedures be established to limit the retention of data to only retain data for its useful life or as required by law or regulation. In addition, this requires nonpublic information to be disposed of in a secure manner.
- 500.14(a): Mechanisms to monitor user access, unauthorized access attempts, and/or tampering with nonpublic information.
- March 1, 2019 – Two-year transitional period ends. Covered Entities are required to be in compliance with the requirements of 23 NYCRR 500.11. In summary, this section requires that a third party service provider security policy be established to ensure that third parties are identified and periodically assessed.
Question 2: Is your Board of Directors or Senior Officers ready to sign off that your organization is in compliance with the applicable DFS Cybersecurity Regulations?
This is a question only they can answer; however, many business leaders are seeking a level of independent assurance before they execute the Certification of Compliance with the DFS Cybersecurity Regulations. Obtaining an independent assessment of your Cybersecurity program is especially important for organizations that historically have not had a program in place in the past in order to determine if a reasonable framework has been established.
Question 3: If my organization has developed a risk assessment in the past, will it meet the requirements of the DFS Cybersecurity Regulations?
A typical risk assessment will not suffice for the purposes of the DFS Cybersecurity Regulations; however, if done correctly, prior risk assessments can be utilized as a valuable tool in updating the risk assessment to meet the requirements of the Regulations. The specific guidance on what DFS requires in a risk assessment is limited. As a result, it is recommended that additional guidance is considered in developing your risk assessment in order to ensure that if any questions arise, you can support your methodology. NIST 800-30 and ISO 27005 both provide guidance for establishing a risk assessment that can be useful reference materials that are also highly recognized and respected within the industry.
Has a third party been identified, contracted and scheduled to perform penetration testing?
The DFS Cybersecurity Regulation requires both penetration testing and vulnerability assessments to be implemented by March 1, 2018. In the event that a third party has not been selected, your organization may want to move forward in the process. Obtaining a penetration test typically requires at least a few weeks to appropriately plan, execute, and obtain a report of the results. Obtaining a vulnerability assessment can usually be performed on a more condensed timeframe, as not as much planning is involved, and can even be done by internal parties within the organization.
Do you have more questions pertaining to the Regulations or whether your cybersecurity program will sufficiently address the various requirements? Withum’s Cyber & Information Security Services team is able to help. They are prepared to aid you in understanding the Regulations, the development of your cybersecurity program, performing penetration tests on your systems to see where your vulnerabilities lie or performing an independent assessment to ensure that your existing cybersecurity program meets the requirements. Our team is also are able to help you respond and recover should a breach occur and assist with the aftermath of a breach.
For more information please contact a member of our Cyber & Information Security Services team by filling out the form below.