NYDFS tweak proposed cybersecurity regulations; start date pushed back to 1 March 2017

Last September, TBG Security wrote a helpful blog article on the proposed cybersecurity regulations put forward by the the New York State Department of Financial Services (NYDFS).

The NYDFS aimed to have these new cybersecurity requirements (23 NYCRR 500) enforceable by 1 Jan 2017. However, last week, on the 28th of December, NYDFS issued the following press release, effectively delaying the launch date to March 1, 2017.  


December 28, 2016

DFS ISSUES UPDATED PROPOSED CYBERSECURITY REGULATION PROTECTING CONSUMERS AND FINANCIAL INSTITUTIONS

First-in-the-Nation Proposed Rule Aims to Protect Consumer Data and Financial Systems from Terrorist Organizations and Other Criminal Enterprises

Financial Services Superintendent Maria T. Vullo today announced that the New York State Department of Financial Services (DFS) has updated its proposed first-in-the-nation cybersecurity regulation to protect New York State from the ever-growing threat of cyber-attacks. The proposed regulation, which will be effective March 1, 2017, will require banks, insurance companies, and other financial services institutions regulated by DFS to establish and maintain a cybersecurity program designed to protect consumers and ensure the safety and soundness of New York State’s financial services industry.

“New Yorkers must be confident that the banks, insurance companies and the other financial institutions that they rely on are securely handling and establishing necessary protocols that ensure the security and privacy of their sensitive personal information,” said Superintendent Vullo. “This updated proposal allows an appropriate period of time for regulated entities to review the rule before it becomes final and make certain that their systems can effectively and efficiently meet the risks associated with cyber threats.”

DFS carefully considered all comments submitted regarding the proposed regulation during the 45-day comment period, which ended on November 14, 2016, and has incorporated those suggestions that DFS deemed appropriate in an updated draft that will be‎ subject to an additional final 30-day comment period.  DFS will focus its final review on any new comments that were not previously raised in the original comment process.

The updated proposed regulation, which was submitted to the New York State Register on December 15, 2016 and published today, will be finalized following a 30-day notice and public comment period.


While the overall aim remains the same – impose new rigorous cybersecurity requirements on banks, consumer lenders, money transmitters, insurance companies as well as some financial service providers in New York State – there are a few interesting changes to the original proposal.

Indeed, the National Law Review reports that “the revised regulation makes multiple changes to almost every provision in the original proposal.” 

The biggest change as far as we are concerned is that most of the regulations outlined in this NYDFS proposal hinge on a Risk-Based Approach. In this draft, the risk assessment of a covered entity’s information systems is now integral to many of the clauses outlined below.

This, along with a delayed start time and added grace periods for transitioning (180 days to two years depending on the regulatory clause), makes this an easier pill to swallow, but it is s still going to require a massive internal undertaking for those financial representatives who are impacted by this proposed new regulation.


Summary of the NYDFS updated cybersecurity proposal

We have compared both proposals and provided a summary of the changes. Text under the heading original were in the first NYDFS proposal; text under the heading UPDATE provides guidance on what has been changed or introduced in the the new version issued in mid-December.

We hope this is useful, and urge you to read the proposal and provide any feedback to NYDFS before the end of the 30-day period.

Warning: the following may seem rather daunting and requires cybersecurity regulatory expertise to ensure all the regulations are being followed. If you have any questions or concerns about about the NYDFS cybersecurity proposal and its impact, get in touch with us at TBG Security.

CYBERSECURITY  PROGRAM
ORIGINAL: Each Covered Entity shall establish and maintain a cybersecurity program designed to ensure the confidentiality, integrity and availability of the Covered Entity’s Information Systems.
UPDATE: The cybersecurity program shall be based on the Covered Entity’s Risk Assessment (see below).

CYBERSECURITY POLICY
ORIGINAL: Each Covered Entity shall implement and maintain a written cybersecurity policy setting forth the Covered Entity’s policies and procedures for the protection of its Information Systems and Nonpublic Information stored on those Information Systems.
UPDATE: This cybersecurity policy now must be approved by a Senior Officer, the Covered Entity’s board of directors, or equivalent governing body. The cybersecurity policy shall be based on the Covered Entity’s Risk Assessment and address the following:

  • information security;
  • data governance and classification;
  • asset inventory and device management;
  • access controls and identity management;
  • business continuity and disaster recovery planning and resources;
  • capacity and performance planning;
  • systems operations and availability concerns;
  • systems and network security;
  • systems and network monitoring;
  • systems and application development and quality assurance;
  • physical security and environmental controls;
  • customer data privacy;
  • vendor and third-party service provider;
  • third party service provider management;
  • risk assessment; and
  • incident response.

CHIEF INFORMATION SECURITY OFFICER
ORIGINAL: Each Covered Entity shall designate a qualified individual to serve as the Covered Entity’s Chief Information Security Officer (“CISO”) responsible for overseeing and implementing the Covered Entity’s cybersecurity program and enforcing its cybersecurity policy.
UPDATE: The CISO may be employed by the Covered Entity, one of its Affiliates or a Third Party Service Provider.

PENETRATION TESTING AND VULNERABILITY ASSESSMENTS
ORIGINAL:The cybersecurity program for each Covered Entity shall, at a minimum, include penetration testing of the Covered Entity’s Information Systems at least annually and vulnerability assessment of the Covered Entity’s Information Systems at least quarterly.
UPDATE: The cybersecurity program for each Covered Entity shall include monitoring and testing, developed in accordance with the Covered Entity’s Risk Assessment, designed to assess the effectiveness of the Covered Entity’s cybersecurity program. Based on the risk assessment findings, penetration tests will be conducted annually, while vulnerability assessments are now required bi-annually.

AUDIT TRAIL
ORIGINAL: The cybersecurity program for each Covered Entity shall, at a minimum, include implementing and maintaining audit trail systems.
UPDATE: Each Covered Entity shall include implementing and maintaining audit trail systems that track and securely maintain data that allows for the complete and accurate reconstruction of all systems based on its Risk Assessment. Records must be maintained for at least five years.

ACCESS PRIVILEGES
ORIGINAL: Each Covered Entity shall limit access privileges to Information Systems that provide access to Nonpublic Information solely to those individuals who require such access to such systems in order to perform their responsibilities and shall periodically review such access privileges.
UPDATE: No notable changes.

APPLICATION SECURITY
ORIGINAL: Each Covered Entity’s cybersecurity program shall include written procedures, guidelines and standards designed to ensure the use of secure development practices for in-house developed applications.
UPDATE: No notable changes.

RISK ASSESSMENT
ORIGINAL: At least annually, each Covered Entity shall conduct a risk assessment of the Information Systems. Such risk assessment shall be carried out in accordance with written policies and procedures and shall be documented in writing.
UPDATE: The risk assessment now needs to be conducted periodically (rather than annually) sufficient to inform the design of the cybersecurity program.

CYBERSECURITY PERSONNEL AND INTELLIGENCE
ORIGINAL: Each Covered Entity shall employ (or use a qualified third party) to perform the duties of cybersecurity personnel, including managing the Covered Entity’s cybersecurity risks and performing the core cybersecurity functions.
UPDATE: No notable changes,

THIRD-PARTY INFORMATION SECURITY POLICY
ORIGINAL: Each Covered Entity shall implement written policies and procedures designed to ensure the security of Information Systems and Nonpublic Information that are accessible to, or held by, third parties doing business with the Covered Entity.
UPDATE: Such policies and procedures shall be based on the Risk Assessment of the Covered Entity.

MULTI-FACTOR AUTHENTICATION
ORIGINAL: Each Covered Entity shall require Multi-Factor Authentication for any individual in order to access the internal systems or data from an external network; to access web applications that capture, display or interface with Nonpublic Information, and to support Multi-Factor Authentication for any individual accessing web applications that capture, display or interface with Nonpublic Information.
UPDATE: Such policies and procedures shall be based on the Risk Assessment of the Covered Entity. Based on its Risk Assessment, each Covered Entity shall require effective controls, which may include Multi-Factor Authentication or Risk-Based Authentication. Multi-Factor Authentication will be used by all individuals accessing the systems outlined above, unless the Covered Entity’s CISO has approved in writing the use of reasonably equivalent or interface with Nonpublic Information.

LIMITATIONS ON DATA RETENTION
ORIGINAL: Each Covered Entity shall include policies and procedures for the timely destruction of any Nonpublic Information identified no longer necessary for the provision of the products or services.
UPDATE: Secure disposal is mandated on a periodic basis of any Nonpublic Information that is no longer necessary for the provision, except where such information is otherwise required to be retained by law or regulation, or where targeted disposal is not reasonably feasible due to the manner in which the information is maintained.

TRAINING AND MONITORING
ORIGINAL: Each Covered Entity shall implement risk-based policies, procedures and controls designed to monitor the activity of Authorized Users and detect unauthorized access or use of, or tampering with, Nonpublic Information by such Authorized Users as well as require all personnel to attend regular cybersecurity awareness training sessions.
UPDATE: No notable changes.

ENCRYPTION AND NONPUBLIC INFORMATION
ORIGINAL: Each Covered Entity shall encrypt all Nonpublic Information held or transmitted by the Covered Entity both in transit and at rest, where feasible.
UPDATE: Encryption requirements will be based on each Covered Entity’s Risk Assessment. Each Covered Entity shall implement controls, including encryption, to protect Nonpublic Information held or transmitted by the Covered Entity both in transit over external networks and at rest.

INCIDENCE RESPONSE PLAN
ORIGINAL: Each Covered Entity shall establish a written incident response plan designed to promptly respond to, and recover from, any Cybersecurity Event affecting the confidentiality, integrity or availability of the Covered Entity’s Information Systems or the continuing functionality of any aspect of the Covered Entity’s business.
UPDATE: No notable changes.

NOTICES TO SUPERINTENDENT
ORIGINAL: Each Covered Entity shall notify the superintendent of any Cybersecurity Event that has a reasonable likelihood of materially affecting the normal operation of the Covered Entity or that affects Nonpublic Information. The Covered Entity must notify the superintendent as promptly as possible but in no event later than 72 hours after becoming aware of such a Cybersecurity Event.
UPDATE: The wording here has changed slightly. It now states that “Cybersecurity Events that have a reasonable likelihood of materially harming any material part of the normal operation(s) of the Covered Entity.

Read New York state’s proposal yourself: CYBERSECURITY REQUIREMENTS FOR FINANCIAL SERVICES COMPANIES [PDF]

And DO get in touch with us if you need clarification, advice, strategic counsel and/or cybersecurity expertise. We’re here to help.


About TBG Security Inc.

TBG Security is a leading provider of information security and risk management solutions for Fortune 100 and Fortune 500 companies. TBG designs and delivers cyber security solutions to work in harmony with existing operations. Companies depend on TBG services in areas including risk management, penetration testingsecurity policy development, security strategies for compliance, business continuitynetwork security, managed servicessoftware and service integration and incident response.

For more information on how TBG Security can help your organization with your information security initiatives please visit https://tbgsecurity.com.

Previous ArticleWant to be a cybersecurity hero this holiday? Here’s how. Next ArticleWhy you can’t find a good CISO for love or money (but we have a solution…)