NYDFS Cybersecurity Compliance Countdown: Preparing for the Next Three Deadlines
In December 2016, the New York State Department of Financial Services (DFS) published cybersecurity regulations designed to protect consumer data and financial systems from escalating cyberthreats. The nation’s first cybersecurity law for financial services, known as NYDFS 23 NYCRR 500, went into effect March 1, 2017.
NYCRR 500 requires covered entities, which include banks, insurance companies, and other financial services institutions regulated by New York DFS, to establish and maintain a risk-based cybersecurity program and ensure compliance with rigorous cybersecurity requirements. The regulation also stipulates that senior management takes responsibility for the organization’s cybersecurity program and files an annual certification that confirms compliance.
NYCRR is being rolled out in a series of four milestones. The first, a requirement to submit a Certificate of Compliance by February 15, 2018, has already passed. Covered entities were required to submit no later than February 15, 2018 a certification stating cybersecurity incidents from the prior year.
Subsequent compliance deadlines, discussed below, are February 15, 2019 and February 15, 2020. Here’s what you need to know to prepare for the next round of deadlines.
Milestone 2: february 15, 2019 compliance deadline
Requirements included in the second milestone focus on managing risk, assessments for threats and vulnerabilities, access control, and employee awareness and training.
Section 500.04 (b) stipulates that the financial institution’s Chief Information Security Officer (CISO) submit an annual report to the company’s board of directors on the cybersecurity program and material cybersecurity risks. The report should describe the effectiveness of the cybersecurity program along with other factors like policies and procedures, and material cybersecurity incidents. Section 500.09 stipulates that risk-assessment policies are documented and that the financial institution conducts periodic risk assessments of in-scope systems.
This milestone also addresses specific technologies to help safeguard data. Section 500.05 requires that organizations conduct annual risk-based external penetration testing and bi-annual vulnerability assessments. Section 500.12 calls for implementation of multi-factor authentication (MFA) to protect against unauthorized access to nonpublic data and information systems.
Finally, section 500.14 (b) specifies regular cybersecurity awareness training for all personnel. This training program should be frequently updated to reflect newly identified threats and risks.
Milestone 3: February 15, 2019 compliance deadline
The third milestone covers processes such as data-retention and audit capabilities, as well as technologies to help ensure application security, data-access monitoring, and encryption.
Section 500.06 stipulates that organizations have auditing capabilities to reconstruct financial transactions and maintain audit trails of material cybersecurity events. Section 500.13 sets forth data-retention processes and secure disposal policies for data that is no longer needed for operations or legitimate business purposes.
Section 500.08 requires implementation and documentation of security safeguards for in-house applications, and that secure development practices are in place. Encryption of nonpublic information, or use of controls approved by the organization's CISO, is stipulated in Section 500.15. To further protect nonpublic data, Section 500.14 (a) requires risk-based monitoring of access to better detect unauthorized use.
Milestone 4: February 15, 2020 compliance deadline
The final milestone (500.11), calls for implementation of security policies for third-party service providers. It requires that organizations implement written policies and procedures to help protect information systems and nonpublic data that are accessed by or held by third-party service providers.
How CohnReznick can help
CohnReznick understands the business of financial services, the need to safeguard valuable data assets, and today’s sophisticated cybersecurity threats. We also have deep experience with the risk-based technologies, processes, and people skills needed to develop and implement enterprise cybersecurity programs.
If you need help assessing your organization’s readiness for compliance with NYDFS 23 NYCRR 500, we can help you:
CISO and Board Reporting
- Assess cybersecurity policies and procedures
- Review annual report on the cybersecurity program, material risks, and cybersecurity incidents
- Interview the CISO or equivalent to understand the overall effectiveness of the cybersecurity program
Penetration Testing and Vulnerability Assessment
- Assess the external penetration testing and vulnerability assessment policies
- Review policies and testing reports of external hosting providers
- Evaluate the scope and test plans for penetration testing
Encryption of Nonpublic Information
- Interview company SMEs to understand encryption policies for data in transit and at rest
- Review data-classification standards
- Evaluate the current MFA deployment
- Review access-management policies
- Appraise application-risk rating methodology
- Determine if MFA is enabled on high-risk applications
- Interview company stakeholders to understand the current logging and monitoring processes
- Review data-classification and retention policies for nonpublic information review logs of systems that handle financial transactions
- Evaluate the organization’s secure data-disposal policy
- Determine that the policy is operational and effective
- Review the company’s Software Development Lifecycle (SDLC) to evaluate code review, segregation of duties, and separation of development, testing, QA and production environments
- Review any related policies and procedures per OWASP’s Application Security Verification Standard
- Reviewing change-management tickets
- Assess AD configurations for enforcement of segregation of duty
- Assess the company’s secure data-disposal policy and determine if it is operational
- Evaluate access-management processes and procedures
- Review access-management system logs
- Assess data-inventory classification to determine if sensitive data are encrypted at rest and in transit
Cybersecurity Awareness and Training
- Review security training policy and material
- Review the training log
This has been prepared for information purposes and general guidance only and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is made as to the accuracy or completeness of the information contained in this publication, and CohnReznick LLP, its members, employees and agents accept no liability, and disclaim all responsibility, for the consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.