Governor Andrew M. Cuomo announced a new regulation to help protect New York State financial institutions from cyberattacks. The regulation developed by the New York State Department of Financial Services requires New York based banks, insurers, and other financial institutions to develop a formal cyber security program within their organization. The purpose is to establish a baseline of cyber security best practices for the organizations that handle important financial and consumer data. The regulation is formally known as Section 500 under Title 23.
New York State is one of the first to implement a cyber security regulation upon this sector and shows the State is prioritizing cyber security to protect consumers. The effective date of this new regulation is January 1, 2017. Covered Entities shall have 180 days from the effective date of this regulation to comply with the new cyber security requirements. It is very important your team gets started early and identifies where your biggest risks may be. You will have until June 1, 2017 to demonstrate compliance and self-certify.
We took a look at this new regulation and outlined some key areas you need to understand if you fall under this new regulation:
Section 500.02Establishment of a Cybersecurity Program
Regulated financial institutions will establish a cybersecurity program designed to ensure the confidentiality, integrity and availability of information systems that performs five core cybersecurity functions:
- Identification of cyber risks.
- Implementation of policies and procedures to protect unauthorized access/use or other malicious acts.
- Detection of cybersecurity events.
- Responsiveness to identified cybersecurity events to mitigate any negative events.
- Recovery from cybersecurity events and restoration of normal operations and services.
What you need to do:
The goals of the cyber security program are not new by any means. Many industries have already established a framework for cyber security. Although this framework is different in presentation, the purpose of the program remains the same. A cyber security program for financial services companies should resonate the importance of cyber security risks to your organization. Getting strong executive support should be a priority to get the program off the ground and maintain continuous support.
Section 500.03Adoption of a Cybersecurity Policy
Regulated financial institutions must adopt a written cybersecurity policy, setting forth policies and procedures for the protection of their information systems and nonpublic information that addresses, at a minimum, the following:
- Information security.
- Data governance and classification.
- Access controls and identity management.
- Business continuity and disaster recovery planning and resources.
- Capacity and performance planning.
- Systems operations and availability concerns.
- Systems and network security.
- Systems and network monitoring.
- Systems and application development and quality assurance.
- Physical security and environmental controls.
- Customer data privacy.
- Vendor and third-party service provider management.
- Risk assessment.
- Incident response.
What you need to do:
Cyber security policies are simple to develop if you have had experience creating other policies before. Remember, a policy is an overarching guidance statement that helps guide the general direction of the program. It is not a detailed list of every process and procedure within your program. These policies are the core statements that will guide your cyber security program.
Section 500.04Chief Information Security Officer
Regulated financial institutions shall designate a qualified individual to serve as Chief Information Security Officer (CISO) responsible for overseeing and implementing the institution’s cybersecurity program and enforcing its cybersecurity policy. The CISO must report to the board, at least bi-annually, to:
- Assess the confidentiality, integrity and availability of information systems.
- Detail exceptions to cybersecurity policies and procedures.
- Identify cyber risks.
- Assess the effectiveness of the cybersecurity program.
- Propose steps to remediate any inadequacies identified.
- Include a summary of all material cybersecurity events that affected the regulated institution during the time period addressed by the report.
What you need to do:
Hire or appoint a Chief Information Security Officer or CISO. If you have never heard of this position before, you have a lot of work to do. The regulation doesn’t require you to hire a new CISO, but you must appoint someone to the CISO positon. This role has the ultimate responsibility for the success and failures of the program. The CISO role must report to the board at least bi-annually and be able to understand compliance risks as they associate to technical risks. The best candidate for this role would be to have someone that can easily explain technical concepts to a non-technical team such as the board members. Their role is to highlight key risks such as the way a Risk Officer would report to a board.
Section 500.10Third-Party Service Providers
Regulated entities must have policies and procedures designed to ensure the security of information systems and nonpublic information accessible to, or held by, third-parties and include the following:
- Identification and risk assessment of third-parties with access to such information systems or such nonpublic information.
- Minimum cybersecurity practices required to be met by such third-parties.
- Due diligence processes used to evaluate the adequacy of cybersecurity practices of such third-parties; and
- Periodic assessment, at least annually, of third-parties and the continued adequacy of their cybersecurity practices.
What you need to do:
If you are outsourcing cyber security staff and other positons, you need to pay close attention to this requirement. The purpose behind this requirement is to put accountability on the 3rd party and ensure they are also following some basic cyber security best practices within their organization. You may have a great program in place but your vendors might be your biggest risk.
Section 500.14Training and Monitoring
Implement risk-based policies, procedures and controls designed to monitor the activity of Authorized Users and detect unauthorized access or use of, or tampering with, Nonpublic Information by such Authorized Users; and Provide for and require all personnel to attend regular cybersecurity awareness training sessions that are updated to reflect risks identified by the Covered Entity in its annual assessment of risks.
What you need to do:
Section 500.14 requires Covered Entities to implement cyber security awareness training for all personnel at your organization. This requirement is the foundational building block of any cyber security program, which focuses on people. Security awareness training for employees should be a priority of any cyber security program regardless of regulation. After all, a human can typically bypass any technical controls you have in place, so training them on cyber security risks should be a priority.
We have only covered some highlights but reading the entire regulation will point out much more. We highly recommend you review the entire document to ensure you are covering each required cyber security regulation:
- Annual penetration testing and vulnerability assessments.
- Implementation and maintenance of an audit trail system to reconstruct transactions and log access privileges.
- Limitations and periodic reviews of access privileges.
- Written application security procedures, guidelines and standards that are reviewed and updated by the CISO at least annually.
- Annual risk assessment of the confidentiality, integrity, and availability of information systems; adequacy of controls; and how identified risks will be mitigated or accepted.
- Employment and training of cybersecurity personnel to stay abreast of changing threats and countermeasures.
- Multi-factor authentication for individuals accessing internal systems who have privileged access or to support functions including remote access.
- Timely destruction of nonpublic information that is no longer necessary except where required to be retained by law or regulation.
- Monitoring of authorized users
- Encryption of all nonpublic information held or transmitted. For in transit data, this requirement is effective one year from the effective date of the regulation. For at rest data, this requirement is effective five years from the effective date as long as there are compensating controls.
- Written incident response plan to respond to, and recover from, any cybersecurity event.
For financial services Covered Entities falling in scope of this new regulation, building and maintaining a security awareness program can be overwhelming. If you are looking for a place to start, Curricula has a turnkey cyber security awareness training solution that will satisfy this requirement. To learn more about how we can help, request a free demo of Curricula Aware at www.curricula.com.