In May 2019, the State of New York announced the creation of a new Cybersecurity Division within its Department of Financial Services (DFS) and the appointment of Justin Herring as its Executive Deputy Superintendent. According to the DFS, the Division "will enforce cybersecurity regulations, advise on cybersecurity examinations, issue guidance on DFS’s cybersecurity regulations, and conduct cyber-related investigations in coordination with the Consumer Protection and Financial Enforcement Division". Through this action, the DFS has built upon its previously-adopted rules that require financial institutions to implement various cybersecurity applications and practices to protect their computing environments and, most importantly, customers. These compliance requirements are contained in a first-of-its-kind state regulation called 23 NYCRR 500 (Reg 500).
In March 2017, the DFS promulgated cybersecurity Reg 500 with a two-year implementation period that ended March 2019. The regulation has far-reaching ramifications for financial services companies covered under the department's jurisdiction, which includes banking, insurance, and other financial services institutions and licensees that are incorporated in New York, as well as those that aren't but have operations in the state. This means that most domestic and international companies doing business in the state are subject to the regulation's requirements.
Reg 500 is designed to protect the critical infrastructure on which the financial services industry runs, as well as customers' private data. It was created in response to the increasing frequency and severity of cyberattacks on financial institutions. According to the DFS, the majority of cybersecurity breaches of information systems and data "involve phishing attacks, social engineering threats, and issues relating to password composition and security and email security."
As of March 1, 2019, DFS-regulated financial services companies in New York must meet the regulation's requirement to have a comprehensive Cybersecurity Program in place. The program must include one or more written security policies, implementation of specific security applications, testing and auditing, certification, and filing of incident reports, among other things. Equally important, Reg 500 also includes provisions that can be broadly read as mandating the implementation of other types of security applications not specifically mentioned in the regulation.
Major Provisions
Reg 500 stipulates that DFS-regulated companies must implement an overall Cybersecurity Program that is based on a Risk Assessment of its non-public information and technical infrastructure.
The Program must:
- "Identify and assess internal and external cybersecurity risks
- Use defensive infrastructure and implement policies and procedures to protect information systems and non-public information stored on them from unauthorized access, use or other malicious acts
- Detect cybersecurity events
- Respond to identified or detected cybersecurity events to mitigate any negative effects
- Recover from cybersecurity events and restore normal operations and services
- Fulfill applicable regulatory reporting obligations"
The Cybersecurity Policy needs to cover areas such as data governance, access controls, identity management, systems and network monitoring and security, customer data privacy, information security, and incident response, as well as other areas. While some of Reg 500's provisions are general in nature—allowing flexibility in what organizations can implement—there are some requirements that are specifically called out, including:
Chief Information Security Officer (CISO)
Companies are required to have an on-staff CISO who has responsibility for cybersecurity and implementation of the regulation. This person can be employed by an affiliate company or individual, or a third-party service provider. The CISO must report annually to a board of directors or a senior officer on the Cybersecurity Program and cybersecurity risks to the organization.
Penetration Testing and Vulnerability Assessments
Continuous monitoring or periodic penetration testing must be performed. Absent the ability to continuously monitor, companies are required to conduct annual penetration testing and bi-annual vulnerability assessments.
Audit Trails
These must be established so financial transactions can be reconstructed and allow normal operations and obligations to be restored. In addition, they must allow companies to detect and respond to cybersecurity events that can materially harm normal operations.
Access Privileges
Companies must be able to limit user access to systems that contain nonpublic information.
Application Security
Written procedures, guidelines, and standards must be created to ensure the use of secure development practices for in-house applications, as well as procedures for evaluating, assessing, or testing the security of externally developed applications.
Risk Assessment
Periodically, a Risk Assessment must be done that serves as a basis for designing the Cybersecurity Program. It must consider risks to normal operations, nonpublic information, information systems, and the availability and effectiveness of controls to protect nonpublic information.
Multi-Factor Authentication
Multi-Factor Authentication or Risk-Based Authentication can be used as controls to prevent unauthorized access to nonpublic information. Multi-Factor Authentication must be used for individuals on external networks who want access to internal networks, unless the CISO has approved another method that is reasonably equivalent or more secure.
Monitoring
Policies, procedures, and controls must be implemented to monitor the activity of Authorized Users and detect unauthorized access to, use of, or tampering with nonpublic information.
Training
Companies must provide periodic cybersecurity training to all personnel, and the training must be updated to reflect the kinds of risks identified by the Risk Assessment.
Encryption of Nonpublic Information
Implement controls, including encryption, to protect nonpublic information held or transmitted both in transit over external networks and at rest. If this is not feasible, the CISO may use alternative compensating controls.
Incident Response Plan
A written incident response plan is required that covers prompt response to, and recovery from, a cybersecurity event materially affecting the confidentiality, integrity, or availability of information systems, or the continuing functionality of any aspect of the business or operations.
Notices to Superintendent
The superintendent of the DFS must be notified promptly of a material cybersecurity event, or one that must be reported to a government agency, self-regulatory body, or other supervisory body. In addition, an annual written notice must be filed with the superintendent, certifying that the company has complied with the requirements of Regulation 500.
It is imperative for New York State DFS-regulated financial institutions to understand Reg 500 in its entirety, and to implement its Cybersecurity Program, which includes conducting a Risk Assessment and developing a written Cybersecurity Policy. Some of the regulation's requirements focus on technologies to help prevent, detect, defend, remediate, and report cybersecurity threats and incidents. While the implementation of security training, access controls, encryption, and Multi-Factor Authentication are specifically mentioned in Reg 500, other provisions indicate that additional security measures should or need to be taken. These include implementing applications for preventing the loss of private data or its unauthorized use, protecting business email messages from being compromised, responding to security incidents, as well as others. Proofpoint's broad range of cybersecurity applications can be used to satisfy many of the security compliance requirements of New York State's Regulation 500.