Getting in Shape – NYDFS Cyber Security Regulations Webinar
Presenters: Shawn Tuma, Cybersecurity & Data Protection Attorney, Scheef & Stone LLP | Bill Belcher, VP Americas, Boldon James In an initiative to protect New York’s financial services industry, a new State regulation has been introduced to protect consumers and financial institutions from cyber-attacks. Effective March 1, 2017, this risk-driven regulation requires all financial services institutions regulated by the Department of Financial Services (DFS) to establish and maintain a cyber security program that will protect both customers’ private data and the technology that supports this. The impact stretches down through the supply chain, as any organization that conducts business with the NYC financial services sector has to adopt the same level of data protection.
Watch this webcast to learn:
The key requirements of the NYC Cyber security regulation
How compliance is about process first, then people and technology
What organizations need to be doing to ensure they comply
How data classification can help ensure compliance
NYDFS Cybersecurity Regulations (23 NYCRR 500) New York is one of the biggest financial hubs in the world; as you can imagine where there is sensitive financial information, there are people who want to get their hands on it. It is for this reason major financial firms operating in New York will face stiff cyber security obligations under the new New York Department of Financial Services Cybersecurity Regulations (23 NYCRR 500). This regulation will apply to firms holding a banking, insurance or financial services licence to operate in New York. 23 NYCRR 500 has been effective as of March 1st 2017, although firms have 180 days from this introduction date to change internal systems in order to meet new compliance and regulation standards. This fact sheet outlines:
23 NYCRR 500 overview
Key dates for covered entities
Key tasks for compliance
How Boldon James can help
Please complete the adjoining form to request it.
New York Department of Financial Services Cybersecurity Regulations
1. Cybersecurity
Regulations
Getting in Shape: New York
Department of Financial Services
Bill Belcher
VP Americas, Boldon James
Shawn Tuma
Cybersecurity & Data Privacy Attorney, Scheef & Stone
General Counsel, Cyber Future Foundation
2. “Security and IT protect companies’ data;
Legal protects companies from their data.”
-Shawn Tuma
3. “Classification is the foundation for all data security,
including DLP. Without data classification in play,
it’s impossible to know what data to protect.”
-Boldon James
4. Introduction
• Cybersecurity threat is ubiquitous.
• New York is a major international financial hub.
• New York Department of Financial Services (DFS)
• Developed Proposed Cybersecurity Requirements for
Financial Services Companies.
• Released for comment on September 13, 2016
• Effective date 1/1/17; enforcement date 7/1/17)
• Comments resulted in substantial revision
• Revised Cybersecurity Requirements for Financial
Services Companies (Cybersecurity Regulations)
• Released final on December 28, 2016
• Effective date 3/1/17; enforcement date 8/28/17
• 23 NYCRR 500
• Exemption MechanismNEW YORK DEPARTMENT OF FINANCIAL SERVICES
CYBERSECURITY REGULATIONS
5. Key dates for
Covered Entities
March 1, 2017 Law becomes effective
August 28, 2017 Must be in compliance
September 27, 2017 Deadline for filing Notices of Exemption
under 23 NYCRR 500.19(e)
February 15, 2018 Deadline for Covered Entities to submit first
certification under 23 NYCRR 500.17(b)
March 1, 2018 One year transition period ends, must be in
compliance with sections 500.04(b), 500.05,
500.09, 500.12, and 500.14(b)
September 3, 2018 Eighteen month transition period ends,
must be in compliance with sections 500.06,
500.08, 500.13, 500.14(a), and 500.15
March 1, 2019 Two year transition period ends, must be in
compliance with section 500.11
NEW YORK DEPARTMENT OF FINANCIAL SERVICES
CYBERSECURITY REGULATIONS
6. Which
businesses are
impacted?
• The Cybersecurity Regulations can impact
businesses globally, even if they do not do
business in New York.
• Apply directly to any Covered Entity.
• Apply indirectly to Third Party Service Provider(s)
of the Covered Entity, through requirements on
the Covered Entity to do business with the Third
Party Service Provider.
NEW YORK DEPARTMENT OF FINANCIAL SERVICES
CYBERSECURITY REGULATIONS
7. Which
businesses are
impacted?
• Covered Entity means any Person operating under
or required to operate under a license,
registration, charter, certificate, permit,
accreditation or similar authorization under the
Banking law, the Insurance Law or the Financial
Services Law.
• Person is any non-governmental entity.
• Covered Entities include these doing business in NY:
• Banks and trust companies
• Credit unions
• Foreign bank branches
• Licensed lenders
• Health insurers
• Life insurance companies
• Property and casualty
• Insurance companies
• Licensed agents & brokers
• Savings and loan
associations
• Bail bond agents
• Budget planners
• Charitable foundations
• Check cashers
• Holding companies
• Investment companies
• Money transmitters
• New York State Regulated
Corporations
• Service Contract Providers
(198 on website lookup)
NEW YORK DEPARTMENT OF FINANCIAL SERVICES
CYBERSECURITY REGULATIONS
8. Which
businesses are
impacted?
Exemptions – These Covered Entities are exempt
from all, or designated parts of Cybersecurity
Regulations, but must file for exemption:
• Exemption from certain sections is available to
Covered Entities with:
• Fewer than 10 employees, including independent
contractors, of the CE or its Affiliates located in NY or
responsible for business of the CE;
• Less than $5,000,000 in gross annual revenue in each
of the last three fiscal years from New York business
operations of the CE and its Affiliates; or
• Less than $10,000,000 in year-end total assets,
calculated in accordance with generally accepted
accounting principles, including assets of all
Affiliates.
• An employee, agent, representative or designee of a
CE covered under its cybersecurity program.
• A CE that has no Information System or Nonpublic
Information and is not required to, exempt from
certain sections.
• Additional discrete exemptions.
NEW YORK DEPARTMENT OF FINANCIAL SERVICES
CYBERSECURITY REGULATIONS
9. Which
businesses are
impacted?
• Third Party Service Provider(s) means “a Person that (i) is
not an Affiliate of the Covered Entity, (ii) provides
services to the Covered Entity, and (iii) maintains,
processes or otherwise is permitted access to Nonpublic
Information through its provision of services to the
Covered Entity.
• Nonpublic Information is all electronic information that
is not publicly available and is sensitive business
information of the Covered Entity, sensitive identifying
information of an individual, or health care related
information of an individual.
• Section 500.11 requires a Covered Entity to ensure its
Information Systems and Nonpublic Information are
secured when accessed by or entrusted to TPSPs by risk
assessments, written policies and procedures,
contractual protections, representations and warranties,
due diligence, and periodic assessments of the TPSP for
adequacy.
NEW YORK DEPARTMENT OF FINANCIAL SERVICES
CYBERSECURITY REGULATIONS
10. Key Defined
Terms
• Cybersecurity Event means any act or attempt, successful or
unsuccessful, to gain unauthorized access to, disrupt or
misuse an Information System or information stored on such
Information System.
• Information System means a discrete set of electronic
information resources organized for the collection,
processing, maintenance, use, sharing, dissemination or
disposition of electronic information, as well as any
specialized system such as industrial/process control systems,
telephone switching and private branch exchange systems,
and environmental control systems.
• Nonpublic Information is all electronic information that is not
publicly available and is sensitive business information of the
Covered Entity, sensitive identifying information of an
individual, or health care related information of an individual.
• Third Party Service Provider(s) means “a Person that (i) is not
an Affiliate of the Covered Entity, (ii) provides services to the
Covered Entity, and (iii) maintains, processes or otherwise is
permitted access to Nonpublic Information through its
provision of services to the Covered Entity.NEW YORK DEPARTMENT OF FINANCIAL SERVICES
CYBERSECURITY REGULATIONS
11. What do the
Cybersecurity
Regulations
require,
generally?
They provide an outline of essential minimum
standards, designate who should lead the process,
and mandate top down buy-in by management and
the Board of Directors:
1. Each Covered Entity must assess its unique risk
profile and design a program that addresses its
risks in a robust fashion.
2. Each Covered Entity must designate a qualified
individual to serve as its Chief Information Security
Officer responsible for overseeing and
implementing its cybersecurity program.
3. Each Covered Entity’s senior management must
be responsible for its cybersecurity program and
file an annual certification confirming compliance
with the Cybersecurity Regulations.
NEW YORK DEPARTMENT OF FINANCIAL SERVICES
CYBERSECURITY REGULATIONS
12. Cybersecurity
Program
Section 500.02
“Each Covered Entity shall maintain a cybersecurity
program designed to protect the confidentiality,
integrity and availability of the Covered Entity’s
Information Systems.”
• Shall be based on its Risk Assessment and
designed to perform these core functions:
• Identify and assess internal and external risks;
• Use defensive infrastructure and policies and
procedures to protect IS and NPI from unauthorized
access, use, or malicious acts;
• Detect Cybersecurity Events;
• Respond to identified or detected Cybersecurity
Events and mitigate negative effects;
• Recover from Cybersecurity Events and restore
normal operations and services; and
• Fulfill applicable regulatory reporting obligations.
• Keep documentation; May adopt Affiliate’s CP.NEW YORK DEPARTMENT OF FINANCIAL SERVICES
CYBERSECURITY REGULATIONS
13. Cybersecurity
Policy
Section 500.03
“Each Covered Entity shall implement and maintain a
written policy or policies, approved by a Senior Officer or
the Covered Entity’s board of directors … setting forth the
Covered Entity’s policies and procedures for the protection
of its” IS and NPI.
• Shall be based on its Risk Assessment and address these
areas, as applicable:
• Information security
• Data governance and classification
• Asset inventory and device management
• Access controls and identity management
• Business continuity and disaster recovery planning and
resources
• Systems operations and availability concerns
• Systems and network security
• Systems and network monitoring
• Systems and application development and quality assurance
• Physical security and environmental controls
• Customer data privacy
• Vendor and Third Party Service Provider management
• Risk assessment; and
• Incident response
NEW YORK DEPARTMENT OF FINANCIAL SERVICES
CYBERSECURITY REGULATIONS
14. Chief
Information
Security Officer
Section 500.04
“Each Covered Entity shall designate a qualified individual
responsible for overseeing and implementing the Covered
Entity’s cybersecurity program and enforcing its
cybersecurity policy….”
• CISO may be employee of CE or Affiliate, or
• May use Third Party Service Provider, but CE shall
• Retain responsibility for compliance; designate senior member of CE’s
personnel responsible for direction and oversight; and Require Third
Party Service Provider to maintain compliant Cybersecurity Program.
The CISO shall report in writing at least annually to the
CE’s board of directors (or equivalent) on CE’s
cybersecurity program and material cybersecurity risks,
considering as applicable:
• The confidentiality of NPI, integrity and security of IS;
• CE’s cybersecurity policies and procedures;
• CE’s material cybersecurity risks;
• Overall effectiveness of the CE’s cybersecurity program;
and
• Material Cybersecurity Events involving the CE.NEW YORK DEPARTMENT OF FINANCIAL SERVICES
CYBERSECURITY REGULATIONS
15. Penetration
Testing and
Vulnerability
Assessments
Section 500.05
“The cybersecurity program for each Covered Entity shall
include monitoring and testing, developed in accordance
with the Covered Entity’s Risk Assessment, designed to
access the effectiveness of the Covered Entity’s
cybersecurity program.”
Monitoring and testing shall include
• Continuous monitoring (or equivalent to detect ongoing
changes to IS), or
• Periodic Penetration Testing and vulnerability
assessments, as well as:
• Annual Penetration Testing based on Risk Assessment; and
• Bi-annual vulnerability assessments that include systemic
scans or reviews to identify publicly known vulnerabilities,
based on the Risk Assessment.
NEW YORK DEPARTMENT OF FINANCIAL SERVICES
CYBERSECURITY REGULATIONS
16. Audit Trail
Section 500.06
Covered Entities shall maintain systems that:
• Are designed to reconstruct material financial
transactions sufficient to support normal operations and
obligations of the CE; and
• Maintain these for 5 years.
• Include audit trails designed to detect and respond to
material Cybersecurity Events.
• Maintain these for 3 years.
NEW YORK DEPARTMENT OF FINANCIAL SERVICES
CYBERSECURITY REGULATIONS
17. Access Privileges
Section 500.07
Covered Entity’s cybersecurity program shall limit
user access privileges to IS that provide access to
NPI and shall periodically review such access
privileges.
NEW YORK DEPARTMENT OF FINANCIAL SERVICES
CYBERSECURITY REGULATIONS
18. Application
Security
Section 500.08
Covered Entity’s cybersecurity program shall
include,
• Written procedures, guidelines and standards to
ensure the use of secure development practices
for in-house developed applications utilized by
the CE; and
• Procedures for evaluating, assessing or testing
the security of externally developed applications
utilized by the CE in its technology environment.
• All such procedures, guidelines and standards
shall be periodically reviewed, assessed and
updated by the CISO.
NEW YORK DEPARTMENT OF FINANCIAL SERVICES
CYBERSECURITY REGULATIONS
19. Risk Assessment
Section 500.09
“Each Covered Entity shall conduct a periodic Risk
Assessment of the Covered Entity’s Information Systems
sufficient to inform the design of the cybersecurity
program ….” Shall …
• Update as reasonably necessary to address changes in
its IS, NPI, or business operations.
• Allow for revision of controls to respond to technological
developments and evolving threats and consider
particular risks of CE’s business operations, NPI collected
or stored, IS utilized, and effectiveness of controls to
protect NPI / IS.
• Carry out in accordance with written policies and
procedures and be documented, including:
• Criteria for evaluation and categorization of identified
cybersecurity risks or threats facing CE;
• Criteria for assessing the confidentiality, integrity,
security, and availability of IS / NPI, adequacy of existing
controls concerning identified risks; and
• Describe how identified risks will be mitigated or
accepted based on the Risk Assessment and how the
cybersecurity program will address the risks.
NEW YORK DEPARTMENT OF FINANCIAL SERVICES
CYBERSECURITY REGULATIONS
20. Cybersecurity
Personnel and
Intelligence
Section 500.10
In addition to CISO, CEs shall
• Have qualified cybersecurity personnel to
manage its cybersecurity risks, perform services
or oversee performance of cybersecurity
program;
• Provide cybersecurity personnel with appropriate
updates and training; and
• Verify that key cybersecurity personnel take steps
to maintain current knowledge of changing
cybersecurity threats and countermeasures.
• CE may use Affiliate or TPSP for this.
NEW YORK DEPARTMENT OF FINANCIAL SERVICES
CYBERSECURITY REGULATIONS
21. Third Party
Service Provider
Security Policy
Section 500.11
“Each Covered Entity shall implement written policies and
procedures designed to ensure the security of Information
Systems and Nonpublic Information that are accessible to, or
held by, Third Party Service Providers.”
• P&P should be based on CE’s Risk Assessment and address the
following, as applicable:
• The identification and risk assessment of TPSPs;
• Minimum CP required by TPSP to do business with CE;
• Due diligence process used to evaluate the adequacy of CP
by such TPSP;
• Periodic assessment of such TPSP based on risk they present
and continued adequacy of their CP.
• P&P shall include relevant guidelines for due diligence
and/or contractual protections relating to TPSP and
applicable guidelines addressing:
• TPSP’s P&P for access controls and MFA to IS / NPI
• TPSP’s P&P for use of encryption in transit and at rest;
• Notice to be provided to CE for Cybersecurity Event; and
• Reps and warranties addressing TPSP’s cybersecurity P&PNEW YORK DEPARTMENT OF FINANCIAL SERVICES
CYBERSECURITY REGULATIONS
22. Multi-Factor
Authentication
Section 500.12
• Based on its Risk Assessment, CE shall use
effective controls, which may include MFA or
Risk-Based Authentication, to protect against
unauthorized access to NPI or IS.
• MFA shall be utilized for any individual accessing
the CE’s internal networks from an external
network, unless CE’s CISO has approved in writing
the use of reasonably equivalent or more secure
access controls.
NEW YORK DEPARTMENT OF FINANCIAL SERVICES
CYBERSECURITY REGULATIONS
23. Limitations on
Data Retention
Section 500.13
• As part of its cybersecurity program, each CE shall
include policies and procedures for the secure
disposal on a periodic basis of any NPI no longer
needed,
• Unless such NPI is required to be retained or
targeted disposal is not reasonably feasible.
NEW YORK DEPARTMENT OF FINANCIAL SERVICES
CYBERSECURITY REGULATIONS
24. Training and
Monitoring
Section 500.14
As part of its cybersecurity program, CEs shall:
• “implement risk-based policies, procedures and
controls designed to monitor the activity of
Authorized Users and detect unauthorized access
or use of, or tampering with, Nonpublic
Information by such Authorized Users;” and
• “provide regular cybersecurity awareness training
for all personnel that is updated to reflect risks
identified by the Covered Entity in its Risk
Assessment.”
NEW YORK DEPARTMENT OF FINANCIAL SERVICES
CYBERSECURITY REGULATIONS
25. Encryption of
Nonpublic
Information
Section 500.15
As part of its cybersecurity program, based on its
Risk Assessment, CEs shall implement controls,
including encryption, to protect NPI held or
transmitted by the CE both in transit over external
networks and at rest.
• CE may use effective alternate compensating
controls reviewed and approved by its CISO if it
determines it is infeasible to use,
• Encryption of NPI in transit over external networks;
or
• Encryption of NPI at rest.
• CISO must review this feasibility determination at
least annually.
NEW YORK DEPARTMENT OF FINANCIAL SERVICES
CYBERSECURITY REGULATIONS
26. Incident
Response Plan
Section 500.16
As part of its cybersecurity program, CE shall
establish a written incident response plan designed
to promptly respond to, and recover from, any
material Cybersecurity Event.
• It shall address:
• Internal processes for responding;
• Goals of the IRP;
• Definition of clear roles, responsibilities and levels of
decision-making authority;
• External and internal communications and
information sharing;
• Identification of requirements for the remediation
of any identified weaknesses in the IS and
associated controls;
• Documentation and reporting regarding
Cybersecurity Events and related incident response
activities; and
• Evaluation and revision of IRP following a
Cybersecurity Event.
NEW YORK DEPARTMENT OF FINANCIAL SERVICES
CYBERSECURITY REGULATIONS
27. Notices to
Superintendent
Section 500.17
2 types of Notices are required:
• Event notification: CE shall notify the superintendent
as promptly as possible but in no event later than 72
hours from a determination that a Cybersecurity
Event has occurred that either:
• Impacts the CE and require notice to be provided to any
government body, self-regulatory agency, or any other
supervisory body; or
• Has a reasonable likelihood of materially harming any
material part of the CE’s normal operations.
• Annual reporting: On February 15 of each year, CE
shall provide the written statement (App. A) for the
prior year certifying compliance with these
Regulations:
• Signed by Senior Officer or Chairman of Board;
• Maintain for 5 years for examination, all records,
schedules and data supporting certification;
• Where deficiencies identified requiring improvement,
shall document current and future efforts to remediate.
NEW YORK DEPARTMENT OF FINANCIAL SERVICES
CYBERSECURITY REGULATIONS
28. Enforcement
Section 500.20
“This regulation will be enforced by the
superintendent pursuant to, and is not intended to
limit, the superintendent’s authority under any
applicable laws.”
The New York Department of Financial Services has
very broad authority to investigate civil matters
and, through its Criminal Investigations Bureau,
criminal matters as well.
NEW YORK DEPARTMENT OF FINANCIAL SERVICES
CYBERSECURITY REGULATIONS