In early March, the State of New York’s Department of Financial Services (DFS) adopted a new set of rules in support of the state’s Financial Services Law. Normally, this is not something that would be particularly news-worthy, as the DFS is chartered to implement rules of governance and management for financial services companies all the time; over the past few years, the DFS has issues rules regarding financial dispute resolution, debt collection, and even the use of Bitcoin and other virtual currencies. What makes the March resolution – titled “23 NYCRR 500” – so interesting is that, for the first time, it defines specific cybersecurity governance requirements for all financial services companies operating in the state. As you might expect, as New York City is one of the top three financial centers of the world, this ruling has a substantial impact.
Although NYCRR 500 is not over-prescriptive (meaning that it doesn’t get down to the level of requiring specific security controls or tools), it is mandatory for virtually all financial services providers in the state. Some of the specific requirements of the mandate include:
- Cybersecurity Program. Each organization needs to have a formal cybersecurity program in place that is based on a risk assessment. It also requires organizations to implement capabilities for detecting, responding to and recovering from cybersecurity events.
- Cybersecurity Policy. Organizations must have a written set of information security policies. The scope of those policy statements is substantial, and must include: information security; data governance and classification; asset inventory and device management; access controls and identity management; business continuity planning and disaster recovery; systems operation and availability; systems and network security; systems and network monitoring; application development and quality assurance; physical security and environmental controls; customer data privacy; vendor and third-party management; ongoing risk assessments; and incident response.
- Chief Information Security Officer. Organizations must now have a CISO, who is both accountable for cybersecurity and has sufficient authority to manage and report on cybersecurity posture.
- Penetration Testing. On an ongoing basis – preferably continuously – organizations need to conduct vulnerability assessments and selective penetration testing of their infrastructure and systems.
- Audit Trail. Organizations must capture and retain logs in a manner that allows them to reconstruct cybersecurity incidents.
- Cybersecurity Personnel and Intelligence. All personnel who are conducting cybersecurity activities on behalf of covered organizations (whether internal employees or a third-party) must have appropriate skills.
What makes NYCRR 500 so unique in the realm of state-level regulations is that it is focused on cybersecurity. While there are many states that have data privacy and breach notification laws, NYCRR 500 is the first – but most likely not the last – state-level mandate that explicitly addresses cybersecurity requirements for a specific industry.
So, if you’re an organization that must comply with NYCRR 500, what do you do? Fortunately, there are several actions you can take to quickly come into compliance with this mandate:
- Know What’s Applicable to You. Although this mandate applies to the entire financial services industry, there are some exemptions for various types of organizations. For example, if your organization manages less than $5 million in assets, and/or if you have under 10 employees, certain parts of the mandate don’t apply to you. Similarly, if you’re simply an independent agent of a larger organization (for example, a certified financial planner who sells financial products for a larger company), you are usually covered under the umbrella of that larger organization. For detailed information on applicability, see the “Exemptions” section of NYCRR 500, which is found at http://www.dfs.ny.gov/legal/regulations/adoptions/dfsrf500txt.pdf.
- Conduct a Risk Assessment. Decisions about your cybersecurity program must be based on risk. A proper risk assessment identifies the information assets of your organization and what they’re worth, and intersects that with known threats and their likelihood and impact if they’re realized. Without a risk assessment, your cybersecurity program will be flying blind.
- Implement Written Policies. Policies are the backbone of any cybersecurity program. They drive the justification behind security processes and controls, and they are critical to ensuring that personnel, partners and other constituents handle sensitive non-public data in a secure manner.
- Implement Critical Security Controls Such as Monitoring, Vulnerability Management and Patch Management. Much of NYCRR 500 is based around protection of assets through continuous monitoring (including both event monitoring and vulnerability monitoring) as well as ensuring that systems are protected (for which patch management is a critical capability). By using technologies to implement these controls – such as SOCVue from EiQ Networks, which utilizes all three – you can not only ensure compliance with this mandate, but actually reduce risks.
- Ensure Your Cybersecurity Personnel Have Appropriate Skills and Experience. Unlike many security standards, NYCRR 500 mandates that the people who are conducting cybersecurity activities must by qualified and trained. For many organizations, this can be a significant expense; using a co-managed service such as SOCVue, which provides qualified and trained security operations personnel for continuous monitoring of your environment, can help to offset the high capital expenditures associated with finding, hiring and training internal security personnel.
While NYCRR 500 is the first example of a state-level cybersecurity mandate directed at a specific industry that we’ve seen, it certainly will not be the last. For financial service organizations that have to comply with these requirements, the importance of implementing a well thought-out, risk-based cybersecurity program cannot be understated.