CYBERSECURITY REQUIREMENTS FOR FINANCIAL SERVICES COMPANIES
23 NYCRR 500
If you or your client’s work with a company that is located in the State of New York, you should learn about the 23 NYCRR Part 500, a regulation establishing cyber security requirements for financial services companies.
If you don’t have the time to read, I will attempt to break it down as simple as possible.
Obviously we are all aware of the state of Cyber-Security. Companies in USA have been targeted by other countries for their trade secrets, patents, identities and not to mention disrupting their business continuity and ultimately affecting company’s reputation and loss revenue.
The examples of such incidents goes a mile long. The Department of Health and Human Services, has a Wall of Shame to expose Healthcare providers and inform the public of breaches affecting 500 or more individuals. How many companies do you think have no idea something has happened or are too afraid to say something?
I often refer the state of the internet to the “Wild West”. Hopefully this is another step in the right direction.
In complying with the New York State Department of Financial Services (DFS) cyber-security regulation, organizations that process or access personal identifiable information (PII) must adopted and/or maintain a cybersecurity program. This includes the industries of Banking, Insurance and Financial Institutions along with their regulated entities which are subject to minimum standards with respect to their programs.
The Cybersecurity Program is designed to protect the systems by;
- Identifying internal and external cybersecurity risks
- Having technologies in place to defend the infrastructure. They were not specific about what type of technologies but they could be, firewalls, endpoint protection, intrusion detection and prevention systems, among many other enhanced security solutions.
- Having the capabilities to detect cybersecurity events
- Being in a position to respond to those events and being able to restore systems to normal operation
- Being able to report on the progress and/or effectiveness of the program
Each organization is required to conduct a periodic Compliance Risk Assessment to help lay out the direction and remediation steps necessary to become compliant. Most industries that are driven by regulation, require companies to follow these steps and most importantly perform a risk assessment. We will see how many will ultimately “follow the rules”.
The Cybersecurity program also consists of;
Maintaining Written Policies
Developing these policies would be based on the results of the Compliance Risk Assessment
Policies could include but not limited to anything around information security, data governance, device management, access controls, business continuity and disaster recovery, network operations and application development. This would also include physical security, data privacy, vendor management and incident response.
Some of other requirements include having a qualified individual responsible for overseeing, implementing and enforcing the written policies. This could also include a third part provider.
Penetration Testing and Vulnerability Assessments
Each covered entity to monitor and test their environments based on the Compliance Risk Assessment. This would include continuous monitoring or periodic Penetration Testing and Vulnerability Assessments.
The Penetration Testing would be done each year in accordance with the Cyber Risk Assessment, along with bi-annual vulnerability assessments. Both of these testing’s would identify gaps in the information systems and software and allow for guidance and better decision making in remediating those vulnerabilities.
Each organization needs to have the ability to pull up system or events logs from a devices(s) at a certain point in time for a minimum of 3-5 years. This is important to investigate an incident or to perform digital investigation on an event that has already happened. A recent report has the Breach Detection Gap (the time elapsed between the initial breach of a network by an attacker and the discovery of that breach) at 146 days on average, globally. We would also recommend, having the ability to back-up and store those logs in a place where they wouldn’t be stolen, wiped or corrupted.
From our experience, the above steps should be the minimum any organization in any industry should be doing. Whether you work in a regulated industry or not. By conducting a full Compliance Risk Assessment you go a lot deeper to find out where all the security gaps in your organization are.
The other areas covered in this regulation and should be focus of the risk assessment, include;
- Access Privileges
- Application Security
- Cybersecurity Personnel and Intelligence.
- Third Party Service Provider Security Policy.
- Multi-Factor Authentication
- Limitations on Data Retention
- Training and Monitoring
- Encryption of Nonpublic Information
- Incident Response (IR) Plan
If there happens to by a cyber-security event which compromises data or systems, you will need to notify the superintendent within 72 hours.
You will also need to provide your risk assessment report certifying that they are in compliance. They also require all materials supporting the certificate to be available for a period of five years.
Some of the exemptions include;
- If you few than 10 employees
- Less than 5 Million of gross annual revenue
This went into effect on March 1st 2017 and Covered Entities will have 180 days from the effective date to comply with these requirements.
Our recommendation for organizations needing to comply would be to quickly engage a cyber security or compliance company as soon as possible and this will make this process a lot more manageable.
ChannelSOC delivers a fully managed SIEM solution with Security Operation Center Services to our partners, continuously checking for anomalous activity, ensuring that you’re continuously upholding your compliance requirements with a solution that’s always-on and proactively protecting you from cyber attacks..