New NYDFS Cybersecurity Regulations and How They Effect You

New NYDFS Cybersecurity Regulations? Are you prepared? Should you be?

In a conversation last month with one of our good customers, the subject of NYDFS Cybersecurity Regulations came up with a question of potential service opportunities for our customers. It seemed that changes in the regulations, especially for the SMB marketplace, might require additional expertise or bandwidth that typical SMB organizations either cannot or choose not to employ. Whether you can hire the expertise or not to address their requirements, NYDFS will still hold companies accountable that fall under their regulation guidelines.

Our team has looked at the impact for our clients who are covered entities including NY insurance companies, banks, and other regulated financial service institutions. They are all aware that the NYDFS established the 23 NYCRR Part 500 (Cybersecurity Rules) to combat the ever-growing threat posed to information and financial systems by nation-states, terrorist organizations and independent criminal actors.

It is the changes that are bringing a challenge and opportunity to our customers, as well as cybersecurity service providers. Not all the changes directly impact smaller firms that are covered entities, but there may be a downstream effect to supplier companies of covered entities via third party risk management programs. These firms may be asked for compliance to DYDFS to share accountability to the regs.

Here are the significant changes that you will want to review for your program:

• If you are a “Class A” company, you will need to do an independent audit of your cybersecurity program. The new requirements call for an independent audit to be done by an external auditor (not simply independent of security responsibilities).

• Your Cybersecurity Policy requirements have been amended to include data retention, end of life management, remote access, network security monitoring, security awareness and training, security of the development life cycle, notification of incidents, and vulnerability management. Also added was a requirement for covered entities to have documented procedures supporting policies.
  Chief Information Security Officer requirement has been amended to require that the CISO have adequate authority to ensure cybersecurity risks are appropriately managed, including the ability to direct sufficient resources to implement and maintain a cybersecurity program. Note: the CISO can be a third-party (NYDFS is still permitted a “Fractional or Virtual CISO”).

• Updated requirements to have documented policies and procedures for monitoring and vulnerability management. Vulnerability Management was already required, what’s new is that the process must be documented in policies and procedures Penetration Testing was clarified to include external and internal tests.
  

• Increased Access Control requirements.
  

• Requires annual review of coding guidelines and standards.
  

• MFA requirements.
  

• Strengthened Asset Management to require a complete Asset Inventory and track end of support (end of life).
  

• Incident Response section has been updated to include business continuity.? It also includes the requirement to test the IR plans and BCP with senior officials.? Also specifically requires that ransomware is included in IR.
  

• An interesting update that impacts Board (or equivalent) oversight includes the requirement for expertise and knowledge of cybersecurity.

What does all this mean?

What NYDFS is requiring is good cybersecurity hygiene; things that will make your cybersecurity program a bit better. All covered entities as well as third parties who support those entities should review your Information Security Program against the updated requirements. Covered entities should make sure your Board has cyber expertise if they do not already.

The requirements for Class A covered entities, have increased quite a bit – however large organizations in the financial service industry should be able to comply with these new requirements and should be complying with most of new requirements already. Class A organizations will likely be spending more money on outside services for assessments.

Here is a link that highlights the changes, underlined in this pdf:

Click here for the full list of changes

If you want to learn more, or dive deeper into the NYDFS Cybersecurity Regulation impact on your company, please reach back to SEVN-X. Our goal is to help you Achieve Better Cybersecurity. We are happy to help!