September 3 marks the next critical deadline for companies covered by the cybersecurity regulations (23 NYCRR Part 500) set forth by the New York Department of Financial Services (NYDFS). If you’re a regulated entity, are you ready? Or, are you, like many organizations across the country, viewing the requirements as a new standard that may be adopted by other states and is therefore worth meeting?
Designed to reduce the risk of data breaches, the regulation mandates organizations to implement substantial efforts in order to secure data as it is shared and used. By September 3, all financial service organizations regulated by the NYDFS, including banks & trust companies, investment companies, private bankers, licensed agents & brokers, mortgage companies and insurance companies are required to have in place the following security controls:
Network Activity Monitoring and Audit Trail
- Must be sufficient to reconstruct financial transactions, should that be necessary
- Records must be kept for 5 years
- Must be sufficient to detect and prevent cyber incidents, e.g. ransomware infection or network intrusion
- Records must be kept for 3 years
- “Written procedures, guidelines and standards” for secure development practices if an entity develops applications in-house, and
- Procedures for “evaluating, assessing or testing” the security of externally developed applications
- This must include a planned periodic review of the relevant preceding practices or procedures by the CISO
Data Minimization and Data Retention
- A process to identify Nonpublic Information that must by law or regulation be retained, and
- A process to identify and delete Nonpublic Information that is not or is no longer required to be retained
- Companies must have in place procedures and controls to monitor the activity of authorized users of company systems and to detect unauthorized access or use of, or tampering with, Nonpublic Information by Authorized Users
- Covered entities must have controls in place to protect non-public Information in transit and at rest. If this is not feasible, they must have a strategy and documentation to implement alternative compensating controls, which must be reviewed for effectiveness annually
With limited budgets and small teams at many financial firms and community banks, the NYDFS and other rules can be a challenge to meet. There are reasons to persevere, however, and ways to simplify the process. First, compliance should not be viewed as the goal. Recognizing that compliance does not equal security, the investment of time and resources into achieving it is better viewed through the lens of enterprise risk management. A standardized framework provides the foundation for a more robust security program, which is tied directly to business goals and outcomes.
Second, help is available to ease the burden of meeting compliance challenges. CyberFortis-TSC Advantage is among those firms with certified teams that are experienced in assessing for gaps and vulnerabilities, developing processes and procedures, managing network access and monitoring, and advising on data storage and encryption.
With a NYDFS module, the Secure Halo assessment platform simplifies annual risk assessment and provides a secure audit trail from the centralized collection and updating of security controls within organizations and their third parties. Partnering with an experienced security provider can improve the return on cybersecurity spending.
Next up: A 6-month strategy to meet the NYDFS third-party service provider policy