New York Cybersecurity Regulation: Everything You Need to Know to Ensure Compliance

Since March of 2017, New York based companies in the banking, insurance, and financial services industry have been required to comply with the Cybersecurity Requirements for Financial Services Companies (23 NYCRR 500). The purpose of the regulation is to promote the protection of customer information as well as the IT systems of regulated entities. Although no specific penalties are defined in the regulation, the Superintendent of NY DFS has the authority to request documentation to show compliance at any time, so companies need to be prepared.

Every year on February 15th, entities must file a certification with the NY State Department of Financial Services. The regulation requires companies to adhere to a multitude of specific requirements but does include some transitional dates to allow companies to work towards full compliance.

What you have to do now

The first annual certifications were due in February of 2018, so if your company has not filed yet you are well beyond the deadline. As of right now, companies are required to have the following controls in place:

• Risk Assessment - Companies must perform a risk assessment to identify cybersecurity threats. Threats must be suitably categorized and evaluated and risk mitigation plans should be developed.
• Cybersecurity Policies - A robust set of information security policies and procedures must exist to define the guidance and requirements of your companies cybersecurity program.
• Vulnerability Management - At a minimum, companies must perform vulnerability scanning twice a year and have a penetration test done annually.
• CISO - Someone within your company must have the title of Chief Information Security Officer. This person is accountable for the cybersecurity program.
• Access - Companies must restrict access to systems with non-public information and review user access periodically.
• Multi-Factor Authentication - Companies are encouraged to use Multi-factor authentication.
• Cybersecurity Personnel Competency - Companies must hire qualified personnel, either internally or by engaging firms such as Clearview Group, to manage cybersecurity controls. Security personnel must be given access to and partake in periodic training.
• Security Awareness Training - All employees must take security awareness training on a regular basis.
• Incident Response - Companies must have a plan in place to handle cybersecurity events.
• Incident Notification - Companies are obligated to notify the Superintendent of the NY Department of Financial Services within 72 hours of the identification of a material cybersecurity event.

What you have to do soon

In October of 2018, companies have to have the following in place:

• User Activity Monitoring - The activity of authorized users must be logged and monitored.
• Audit Trail - Audit logs must be in place and retained for 5 years.
• Application Security - Secure application procedures must be in place and reviewed by the CISO
• Data Destruction - Companies must begin securely disposing of non-public information according to defined retention standards.
• Encryption - Encryption must be used for data in transit over external networks and at rest

In March of 2019, companies must have a robust Third Party Service Provider Management program. This include identifying all third parties used as part of business operations and performing periodic risk assessments and reviewing the information security controls in place at the third party service provider. Many companies use cloud services, consultants, outsourced business support, etc., that would all be in scope for this control.

The good news

You don't have to figure this all out on your own. Clearview Group has experts in our IT Risk & Security and Technology Advisory practices that have many years of experience in designing, assessing, and managing cybersecurity risk for companies of all sizes and industries. The use of a third party to manage compliance with the requirements is explicitly allowed in the regulation, because the NY Department of Financial Services recognizes the complexity and ever evolving nature of cybersecurity risk. Send us a message to learn more about how you can ensure your company is managing cybersecurity risk effectively and maintaining regulatory compliance.

About the Author

Michael Molloy is a Manager in Clearview's IT Risk & Security Advisory practice. He graduated with his Masters in Business Technology Management from Stevenson University in 2013 and obtained his Certified Information Systems Auditor (CISA) certification in 2014. He has extensive experience in healthcare, utilities, financial services, government contracting, logistics, and higher education. He has lead IT Audit projects on behalf of Internal Audit, AICPA SOC 2 assurance engagements, IT SOX audit and consulting projects, and IT Security consulting and advisory engagements. He has a deep knowledge in many of the industry leading technologies including Infrastructure as a Service (AWS, Azure, etc.), Platform as a Service (Salesforce, etc.) and Software as a Service (Workday, Office 365, JIRA/Confluence, etc.).