Impact of new NY state led financial cybersecurity regulations

August 31, 2017//Ellen Neveux

Last Updated: November 18, 2020

As cybersecurity continues to take center stage in the news, many industries have begun to introduce regulations aimed at prevention.  The New York Department of Financial Services is leading the financial sector in this effort with new comprehensive requirements and clear guidelines for cybersecurity management.

Elad Yoran writes in a SCMagazine article, “While the requirements are New York-based, given the state’s concentration of financial services firms, the regulation reaches far beyond the Hudson River.”

The NYDFS 23 NYCRR 500 Cybersecurity Requirements for Financial Companies went into effect March 1st of this year. In his article, Yoran outlines key aspects of the regulation including Access Privileges, Incident Response Plan, and notification procedures.

The Empire State lays down the marker on cybersecurity: What should be done now

By now (July), covered entities should have determined who their Chief Information Security Officer (CISO) is and whether they will outsource this role or keep it in-house. Deciding on a CISO early in the process is important because that person can help coordinate the rest of the implementation and he or she will need time to become familiar with the various parts of the cybersecurity program. Beyond the CISO, companies should also determine who else is designated as cybersecurity personnel.

In addition to defining the cybersecurity policies and personnel, at six months (September 1st), covered entities are also required to have a cybersecurity program designed to protect the confidentiality, integrity, and availability of information systems. The program should be based on a risk assessment and include the requirements referenced in other sections of the regulation, such as controlled access to company systems (Access Privileges 500.07), incident response and information sharing (Incident Response Plan 500.16), and notification procedures (Notices to Superintendent 500.17).

Getting ready for board level accountability

While many of the requirements due in the first year amount to basic cyber hygiene, a new requirement in NYDFS is that the CISO submit a report to the board of directors or equivalent governing body. The board or a senior officer then needs to certify compliance to NYDFS by February 15th, 2018.

This last element, the involvement of the Board of Directors and Senior Officers, is a significant shift. Historically, cybersecurity activities have often been the sole domain of IT organizations, sometimes deep within the IT organization. Elevating cybersecurity to the Board level raises its visibility and places responsibility, strategically, at the highest levels of the organization.

To prepare this report, covered entities should already be planning for and starting to execute penetration tests and vulnerability assessments, a cybersecurity risk assessment, and awareness training for all employees. The assessments will no doubt unearth risk mitigation recommendations, so companies should give themselves time to make the improvements before the year is up. Policies, procedures, and access privileges that were set as part of the prior phase should be reassessed at the conclusion of the risk assessment.

The other big task for the one-year milestone is the institution of Multi-Factor Authentication (MFA) or Risk-Based Authentication to protect against unauthorized access to Nonpublic Information or Information Systems. MFA is prescribed specifically for any method “of accessing a covered entity’s internal networks from an external network.” Assessing the feasibility of such features and implementing them is no small amount of work, so if companies have not already started, they should soon.

About SecureLink

Our sole focus is secure third-party remote access. For highly regulated enterprise organizations, SecureLink Enterprise has pioneered a secure remote access platform. SecureLink for enterprise allows an organization to identify, control, and audit third-party vendors. For vendors, SecureLink is the gold standard remote access support platform because it is easy, efficient, and ensures compliance and reduces liability when supporting customers.

Subscribe to the SecureLink Blog.
close close