New York Department of Financial Services (NYDFS) has enacted 23 NYCRR Part 500, a new regulation designed to establish a cybersecurity baseline for financial service companies, which went into effect on March 1, 2017.
Generally speaking, this mandate applies to financial services firms such as banks and insurance companies licensed by the state of New York. That includes entities headquartered in New York state, as well as out-of-state/international entities doing business in New York. Smaller companies that do not meet certain thresholds for employee size, annual revenue, or total assets are exempt from some of the requirements. The full regulations and required certification can be found at: http://www.dfs.ny.gov/legal/regulations/adoptions/dfsrf500txt.pdf
While the mandate is now in effect, NYDFS has set a series of compliance deadlines to enable companies to meet all requirements over a 2 year transitional period. As these requirements encompass people, processes, and technologies, covered entities will want to start their efforts now to meet these deadlines:
- August 27, 2017-
- Establish a cybersecurity program based on the company’s risk assessment
- Implement a written cybersecurity policy based on the company’s risk assessment
- Designate a Chief Information Security Officer
- Limit access privileges based on the company’s risk assessment
- Establish a written third-party service provider security policy based on the company’s risk assessment
- Establish a written incident response plan
- February 28, 2018-
- CISO’s annual reporting to the BOD
- Conduct cybersecurity monitoring and testing (at minimum, annual penetration testing and bi-annual vulnerability assessments)
- Conduct a risk assessment sufficient to inform the design of the cybersecurity program
- Implement multi-factor authentication
- Conduct cybersecurity awareness training for all personnel
- September 2, 2018-
- Maintain systems for audit trail to detect and respond to cybersecurity events
- Establish procedures, guidelines and standards for application security
- Implement a secure data disposal policy
- Implement a policy to monitor user activities to detect their unauthorized data access
- Implement control (encryption) to protect nonpublic information
- February 28, 2019-
- Implement policies to ensure the security of systems and information that are accessible to, or held by, third-party service providers
Key Focus Areas
Three areas of NYCCR Part 500 compliance that covered entities must pay particular attention to are:
Multi-factor Authentication– The Regulation defines “Multi-Factor Authentication” as authentication through verification of at least two of (1) knowledge factors (e.g. password), (2) possession factors (e.g. token, text messages, smart cards), (3) inherence factors (e.g. biometric characteristic). Section 500.12 of the Regulation requires the use of Multi-Factor Authentication for accesses from an external network to the company’s internal networks. This section also requires effective controls to protect against unauthorized access to nonpublic information or information systems of the company, which may include Multi-Factor Authentication or Risk-Based Authentication
Audit Trail– Under Section 500.06 of the Regulation, companies must maintain a cybersecurity program that include audit trail systems designed to detect and respond to cybersecurity incidents.
Data Access Monitoring– Section 500.14(a) of the Regulation also requires companies’ cybersecurity programs to include policies, procedures and controls designed to monitor user activities to detect unauthorized access and use of nonpublic information.
Let Us Help You
Soliton’s InfoTrace Endpoint Security and Compliance Management Solution can help covered entities accelerate their NYCRR 23 Part 500 compliance as it integrates multiple layers of endpoint security, data access control, authentication, policy enforcement and forensic reporting into a single enforcement agent and provides management and reporting from a single pane of glass.
Email us [email protected] to learn more about how InfoTrace can support your cybersecurity compliance requirements.