Exploring the intent and value offered through the New York State Department Of Financial Services 23 NYCRR 500; Cybersecurity Requirements For Financial Services Companies
From time to time it’s worthwhile to explore an example of a regulation put into place to help define, encourage, and oblige sound cybersecurity and risk management practices. Financial institutions are highly skilled at compliance with regulatory requirements. New York State has many large financial institutions’ regional or national headquarters within their borders. It’s a perfect set of cybersecurity risks and opportunities. Let’s examine what this regulation, enacted into effect in March of 2017, puts forth for financial services in the Empire State.
The introduction acknowledges the growing threat of cyber-attacks and sets forth the regulation’s intent, summarized here into six (6) points:
- Promote the protection of customer information and IT systems of regulated entities
- Proscribe regulatory minimum standards
- Allow cybersecurity programs to match the relevant risks and keep pace with technological advances.
- Require each company to assess its specific risk profile and design a program that addresses its risks in a robust fashion.
- Set Senior Management responsibility for the organization’s cybersecurity program
- Require Covered Entities to file an annual certification confirming compliance with these regulations.
Overall this means a regulated Financial Institution’s cybersecurity program must ensure its safety and soundness and protect its customers. Nothing remarkable or novel is here, but these intentions, as stated, draw clear parameters for the program components and details to follow. It’s the “what”. Much of the remainder of the regulation refers to the “how”.
Terminology, as I’ve often said in other blogs, is most important for clear communications, comprehension, and effective implementation cyber security and risk management practices. So, the following section of term definitions, spanning specifics for non-public information, control practices such as penetration testing, and roles such as third-party service provider are very useful. These can be used to compare with a regulated financial institution’s (Covered Entity) current internal policy definitions and practices, offering content and definition where none might exist. This content also sets a minimum compliance standard for any language in current policies. As such, these definitions provide guidance on scope and intent, a compliance baseline for existing internal documentation, and a point of education between regulator and “Covered Entity”. If there are existing internal definitions of these terms in an institution, it’s an opportunity to align that internal “taxonomy” with regulatory language to assure any gaps in substance or intent are identified and addressed through its compliance processes regarding cybersecurity.
Section 500.2 describes the requirements of a compliant cybersecurity program. Right up front, it states that the program “…shall be based on the Covered Entity’s Risk Assessment…”. If risk assessment processes, skills, and tools are not reasonably strong in your organization, you’re already at risk of compliance jeopardy. Then it goes on to state that the Cybersecurity Program must incorporate policies and procedures to identify and assess risks, detect, respond to, recover from and mitigate cybersecurity events, including practices to fulfill regulatory reporting obligations. This seems remarkably familiar content to NIST’s Cybersecurity Core Framework components of Identify, Protect, Detect, Respond, and Recover. Financial institutions operating in New York State that have used the NIST Cybersecurity Framework as an organizing foundation to their cyber risk management programs likely have a clear advantage towards compliance with this regulation, without much adjustment or tuning of their risk program. Section 500.2 (c) also notes that adoption by a Covered Entity of an affiliate’s program also offers a path to compliance; implying there is room for outsourcing some operational aspects of cyber risk management to help a achieve compliance with this NY State Cybersecurity regulation.
The regulation requires there be a Cybersecurity Policy in place; one that’s been “…approved by a Senior Officer or the Covered Entity’s board of directors (or an appropriate committee thereof) or equivalent governing body…”. This is significant because the regulation specifies aspects of policy management required to meet compliance. Draft, informal notices or other non-policy communications, which have not been subject to internal governance as described here, would not be satisfactory. Section 500.3 goes on to state that this policy should be based upon the Financial Institution’s risk assessment. It continues to detail areas of coverage, including assets, governance, technology controls, third party oversight, privacy and response practices. It’s a good basic outline describing the basic contents of a cybersecurity policy and the core scope of a cyber risk management program.
It’s rare that a regulation specifies so much of the “how” to achieve compliance. Mostly regulations focus on what needs to be, rather than the means to achieve any state. This regulation requires the assignment of a Chief Information Security Officer, or CISO in section 500.4. It goes on to list the core responsibilities of this role, and how it may be staffed. Staffing options in addition to internal assignment include outsourcing the role to a qualified third party, to a member of an affiliate organization, or through an independent third party. This flexibility allows local or regional subsets of larger financial institutions to take advantage of corporate resources which may reside outside New York State. It’s also interesting to note that this CISO role is obligated to issue “…a report in writing at least annually to the Covered Entity’s board of directors or equivalent governing body. … The CISO shall report on the Covered Entity’s cybersecurity program and material cybersecurity risks.” Once again there’s a need for organized, thorough reporting on the program, and the cyber risk assessment, implying a need for structure in both processes and performance reporting.
Sections 500.5-8 describe specific control and security practices inherent in any well managed IT security program for a Financial Institution:
- Penetration Testing and Vulnerability Assessments
- Audit Trail
- Access Privileges
- Application Security
The focus is often identified to be on non-public confidential information protection, the evaluation of controls to manage it, prevent or detect policy violations, and respond to events. This is all very basic, and very necessary. It’s unlikely any Financial Institution of significance would be missing any of these control practices.
Section 500.9 addresses Risk Assessment in some detail compared to these other cyber security practices. It needs to be current and accurately reflect the newest changes to technical controls, policies, and operating practices. It’s to be governed by written policies and procedures, include criteria for the identification, assessment, categorization and evaluation of cyber risks, control effectiveness, and risk mitigation processes. This is one place where many organizations, even relatively large and otherwise sophisticated ones like major Financial Institutions, can fall short. Documented risk management program practices, procedures, processes and methods often are not so complete as this regulation requires. While the documentation demands noted here are not so rigorous as ones needed to achieve an ISO certification, they are most often found in places where standardized practices, supported by risk management software tools and platforms are well established. The regulation is subtle but clear in its push towards process maturity in the area of risk assessment.
Clearly, the regulation wants the program to maintain currency. Section 500.10 notes this in its comments requiring there to be designated, trained and qualified personnel. Training to maintain knowledgeable staff is required. 500.11 wants assurances that the controls in force at affiliates and third parties are of adequate strength to support and not deteriorate the risk perimeter extended by an affiliate or third-party services. Covered entities need to monitor and evaluate third party practices annually. It’s noteworthy that in the past few years third party security has become increasingly important to cyber risk management. The last changes to the NIST Cyber Security Framework included specific additions to address third party security.
For some reason, the NYS Cybersecurity Requirements For Financial Services Companies then returns to control practices again. In sections 500.12-16 requirements are noted for implementing:
- Multi-factor Authentication: based upon risk assessed needs, but requiring its use when accessing an internal network remotely
- Limitations on Data Retention: specifically requiring periodic secure disposal (a practice often outsourced, but rarely monitored by many institutions).
Note: this a significant risk exposure, which in my own consulting experience has been a major source of non-compliance when it was discovered that documents, electronic storage media, and other items were not being destroyed as contracted, but dumped whole in landfills and other places. Word to the wise … monitor the efforts of these contractors to assure they are fulfilling contractual obligations as stated.
- Training and Monitoring: making sure that overall employee awareness training was regularly updated and administered throughout the enterprise.
- Encryption of Non-Public Information: ensuring that it’s done wherever possible and that approved compensating controls are in force wherever they are approved as an alternative.
- Incident Response: outlining the requirements for an effective incident response plan to address cyber events in compliance with policy and regulatory expectations.
The Superintendent of Financial Services must be notified of Cybersecurity events within 72 hours whenever such an event impacts the Covered Entity such that notice is required to be provided to any government body, self-regulatory agency or any other supervisory body; or Cybersecurity Events that have a reasonable likelihood of materially harming any material part of the normal operation(s) of the Covered Entity. Section 500.17 also requires an annual written report to the Superintendent no later than February 15th of each year, utilizing a form provided in the Regulation’s appendix.
There’s a brief statement about confidentiality in 500.18. Basically, if it’s confidential to this regulation, it’s subject to the same exemptions as Banking Law, Insurance Law, Financial Services Law, Public Officers Law or any other applicable state or federal law. (Clearly, a remark written by an over-zealous attorney somewhere.)
Section 500.19 notes all the circumstances where your NY State Financial Institution might be exempt from this regulation. So, if you have fewer than 10 employees, less than $5,000,000 in annual revenue, or under $10,000,000 in assets, you may be “off the hook”. Likewise, if you are part of and covered by the practices of a greater Covered Entity you need not replicate and duplicate the compliance requirements of the regulation. In some cases, agencies under Article 70 of the Insurance Law who have no direct control over non-public information may be exempt. And of course, instructions to file the appropriate Exemption paperwork are noted here.
Finally, Section 500.20 stipulates that the Superintendent shall be the enforcer of this regulation. 500.21 states that the regulation became effective March 1, 2017, and those affected must be compliant by February 15, 2018. There are some rules about transition periods, not to exceed 180 days discussed in section 500.22. Covered entities may have as much as 1 year, 18 months or no more than 2 years to achieve compliance with specific subsets of the regulation. And lastly, in 500.23 Severability, it states that if any part of the regulation is deemed unlawful by a court, the remainder of the regulation remains in force.
As you can see, this regulation touches all the basics, and in some cases proscribes more detail and specifics about how a program should be run. It offers a reasonable foundation, or departure point from which an organization may build and refine a comprehensive set of cybersecurity and cyber risk management practices. In blogs to come, we’ll look at how standards and frameworks can support such compliance efforts, and how tools like risk management software enable efficient and comprehensive management and control of the practices that build value and confidence in risk management and cyber security.
About the Author:
Simon Goldstein is an accomplished senior executive blending both technology and business expertise to formulate, impact, and achieve corporate strategies. A retired senior manager of Accenture’s IT Security and Risk Management practice, he has achieved results through the creation of customer value, business growth, and collaboration. An experienced change agent with primary experience in financial, technology, and retail industries, he’s led efforts to achieve ISO2700x certification and HIPAA compliance, as well as held credentials of CRISC, CISM, CISA.