By Katherine Teitler
March 2, 2017
We’ve only just begun
On March 1, 2017, New York State became the first state in the nation to impose cybersecurity-specific regulation on financial services organizations operating within its borders. According to the press release on the Department of Financial Service’s (DFS’s) website, dated February 16, 2017, the stated aim of the regulation is to “protect New York’s financial services industry and consumers from the ever-growing threat of cyber-attacks.”
Though the rules took effect at the beginning of the month, affected enterprises have transition periods ranging from 180 days to 18 months to comply with different aspects of the law. The good news is that financial institutions are historically among the early adopters when it comes to cybersecurity practices, so many of the impacted enterprises are likely to have already addressed some of the new requirements.
The bad news is multifold: To start, it is probable that larger banks, insurance companies, etc. can more easily comply, leaving the smaller organizations with fewer available resources scrambling to address open issues. The second consideration is that, as with all compliance, the cybersecurity requirements are a baseline; implementing the outlined changes will not make financial institutions in New York State secure and breach free. In fact, the brief on the DFS’s website even mentions the “minimum standards”:
“Given the seriousness of the issue and the risk to all regulated entities, certain regulatory minimum standards are warranted, while not being overly prescriptive so that cybersecurity programs can match the relevant risks and keep pace with technological advances.”
Digging into the rules, however, the language addressing specific actions that must be taken reads more prescriptively and fails to iterate their “minimal” nature. Provided financial institutions’ leaders do approach the regulation as a baseline, this could have a very positive effect on both enterprises and consumers. And since, as previously mentioned, financial services companies have shown interest in staying ahead of the game as it relates to cybersecurity, the regulation may be a sign of good things to come, especially if other states follow suit and implement similar requirements.
Before the risin’ sun we fly
With that, let’s take a look at some of the requirements. Although only New York State financial institutions must comply, the cybersecurity guidance can be used by any organization anywhere in the U.S. as a measure by which to upgrade security plans (if the directives have not yet been surpassed).
Cybersecurity Program: All financial services companies operating in New York State must “maintain a cybersecurity program designed to protect the confidentiality, integrity, and availability (CIA) of the Covered Entity’s Information Systems.” Further, the program itself must be based on the entity’s individual risk assessment which takes into account the organization’s internal and external cyber risks, infrastructure, identification and response/recover capabilities, and reporting obligations.
Cybersecurity Policy: Covered entities must create and maintain written policies governing the organization’s intended “procedures for the protection of its Information Systems and Nonpublic Information stored on those Information Systems.” The policy must be approved by a senior member of the company’s board and must address the organization’s operational plans in 14 specified areas, including data governance, asset inventory, systems and networking security and monitoring, application development, and other key areas listed in the CIS Critical Security Controls.
Leadership: Organizations must appoint a qualified Chief Information Security Officer (CISO) to oversee all policies and procedures. The one caveat of this section is that the CISO does not have to be a full-time employee of the covered entity; she or he may be an employee of an affiliate organization or a third-party service provider. In those cases, the organization itself maintains responsibility for the cybersecurity program. Responsibility is not shifted to the external party.
Penetration Testing and Vulnerability Assessments: According to the document on the DFS’s website, “The monitoring and testing shall include continuous monitoring or periodic penetration testing and vulnerability assessments, and shall be done periodically.” The conventional wisdom is that continuous monitoring and regular penetration testing and vulnerability assessments are a best practice, so this rule would be best served to keep in mind the “minimum requirement” statement provided in the opening paragraphs.
Audit Trail: This one is pretty straightforward: Financial services companies must keep accurate records of what’s happening inside the organization’s cybersecurity program. Records must be maintained, at a minimum, for five years.
Access Privileges: Under the new regulation, covered companies must “limit user access privileges” to sensitive information, and must “periodically review such access privileges,” though the word “limit” is left up to interpretation.
Application Security: In a very positive move by the DFS, the regulation requires organizations to create, maintain, and periodically update written procedures, guidelines, and standards for the secure development of any applications developed in-house.
Risk Assessment: Risk assessments should be the guiding factor behind any organization’s cybersecurity program. While “risk assessments” are referred to earlier in the document, it is curious that definitions fall further down the document. However, under the new law, New York State financial institutions must not only complete periodic risk assessments but must also “allow for revision of controls to respond to technological developments and evolving threats.”
Cybersecurity Personnel and Intelligence: Covered entities must utilize “qualified” professionals to carry out the duties outlined in the program plan, though personnel may be contracted through an affiliate or third party.
So many roads to choose
Third-Party Service Provider Security Policy: One of the longest sections of the new regulation, the third-party requirements acknowledge how important it is for organizations to vet and regularly assess the security posture of any partners. Third-party provider issues have been the initiation point for many major incidents and breaches, and the new requirement assures that NY-based financial services organizations can no longer deprioritize the problem.
Multi-Factor Authentication: This section reads as more of a recommendation than a requirement, as MFA is considered one of the “effective controls” which “may” be used. The section continues to recommend MFA as a control for any external party connecting to the internal network, that is unless the CISO approves in writing that it is not required.
Limitations on Data Retention: Financial institutions must abide by all governing laws and regulation about data retention. When retention requirements have expired, covered entities must have defined policies and procedures for the secure disposal of sensitive data.
Training and Monitoring: This section requires covered organizations to develop policies, procedures, and controls for acceptable use, and to provide training for users.
Encryption: Encryption is a requirement for all covered financial institutions’ sensitive data at rest and in motion, though a subsection does make allowances for the “infeasibility” of encryption of sensitive data in transit over external networks.
Incident Response Plan: Each covered entity must create and maintain a written incident response plan that allows the organization to prepare for, deal with, and recover from any security event “materially affecting” the organization. What’s noteworthy is that the regulation refers to a security “event” rather than “incident,” which indicates that the DFS expects financial institutions to be more conscientious about potential indicators of compromise and not focus only on larger issues.
Notices to Superintendent: Following the above section, organizations must report cybersecurity events—not just incidents or breaches—to the superintendent, Maria T. Vullo, within 72 hours of discovery.
We’ll start out walkin’ and learn to run
New York State’s regulation is a step in the right direction for prioritizing cybersecurity within critical infrastructure. Though only certain entities must heed the letter of this law, other organizations with the capability would be wise to adopt as many of the guidelines as possible. Notwithstanding, while the requirements of the New York State DFS’s regulation go beyond the basics, they by no means constitute a comprehensive cybersecurity program that can resist the frequency and classes of attacks today’s organizations observe daily.
Companies must start somewhere, though, and if New York’s regulation paves the road to better security policies and procedures across the board, everyone, from organizations and their executives to consumers, will start to reap the benefits regarding fewer successful cyber attacks.
Click here for more information on our InfoSec World Conference & Expo in Orlando from April 3-5.
More Infosec Articles