The New York Cybersecurity Regulation: How it impacts you ...€¦ · “Department”) issued a proposed rule establishing cybersecurity requirements for financial services companies

The New York Cybersecurity Regulation:

How it impacts you and your company

March 3, 2017

Presented by:

©2017 Strategic Compliance Partners. All rights reserved.

Introduction

• The New York State Department of Financial Services (the

“Department”) issued a proposed rule establishing cybersecurity

requirements for financial services companies. The rule was revised on

December 28, 2016.

• The regulation requires financial services companies that are regulated

by the Department, to establish minimum standards for the protection

of consumers private information, including the requirement to

establish and maintain a cybersecurity program designed to protect

private customer data.

• The final regulation was published on February 16, and is set to take

effect on March 1.


Agenda

Today we will discuss:

• Coverage of the regulation

• Cybersecurity program development

• Steps for compliance


Coverage


• The regulation applies to any person “operating under or required to

operate under a license, registration, charter, certificate, permit,

accreditation, or similar authorization under the Banking Law, the

Insurance Law, or the Financial Services Law.”

• It requires companies to identify and assess internal and external

cybersecurity risks that may threaten the security of sensitive data

stored on the companies systems.

• Additional requirement for a Risk Assessment

• Creation of Policies and procedures to protect Non-Public

Information

• Requires a qualified individual responsible for overseeing and

implementing the cybersecurity program

• This requirement may be met by appointing a Chief Information

Security Officer that is employed by the company or one of its

affiliates, or by using a “Third Party Service Provider”

What’s New


• Over 150 critical comments submitted in

response to Proposed Rule (originally published

in September 2016)

• Rules too stringent

• No distinction between small and large

financial institutions

• Insufficient time to implement requirements

• Published amended rule on December 28th

adding important flexibility

Final Rule relaxes some requirements from Proposed Rule.

What’s New


• Cyber Program

• Instead of mandating identical security measures for all

institutions, regardless of size, institutions must institute a

Cybersecurity Program that tailored to the institution’s size

and risk profile

• Key element is “Risk Assessment” – to provide foundation for

the customization of each institution’s Program.

• Thus, final rule is more of a “process rule” than a prescriptive,

substantive rule.

• This change matches approach in other industries (e.g. HIPAA

Security Rule) that focus on an individualized, enterprise-wide,

risk assessment and management process

• Risk Assessment must be performed periodically (not annually)

• Encryption no longer mandatory

• If not feasible, entity may employ effective alternatives as

approved by the CISO

• “Protect” not “ensure” – important language change for liability


What’s New


• Allows Cybersecurity Program to be maintained by a qualifying

affiliate or third-party service provider

• Personnel, including role of CISO may be outsourced

• Cybersecurity Policy must be based on R/A – asset inventory and

device management added to list of items that must be covered

• Notice requirement narrowed in scope - only applies where:

i. notice is required to be provided to any government body, self-

regulatory agency or any other supervisory body

ii. “reasonable likelihood of materially harming any material part of

the normal operations” of the entity

72-hour notice period retained

• Exemption where fewer than 10 employees (including independent

contractors)

• Effective date is (was) March 1, 2017

• 180-day “transition” period for CEs to come into compliance


Section 500.02 Cybersecurity Program

• Priority is placed on protecting confidentiality, integrity and

availability of the CE’s Information Systems

• Risk Assessment

• Drives the development of your Security Program,

• Must encompass internal and external risks (threats),

• Must be well documented and readily available,

• Each organization’s assessment findings will look different

(even if you are in the same industry).


Cybersecurity Policy Section 500.03

• Requires implementation and maintenance of written policies that are approved by Senior

Management and/or the company’s Board of Directors. The policy is based on the Risk Assessment

and shall address the following areas as applicable:

information security;

data governance and classification;

asset inventory and device management;

access controls and identity management;

business continuity and disaster recovery planning and resources;

systems operations and availability concerns;

systems and network security;

systems and network monitoring;

systems and application development and quality assurance;

physical security and environmental controls;

customer data privacy;

vendor and Third Party Service Provider management;

risk assessment; and

incident response.


Section 500.04 CISO

• Required to designate a Chief Information Security Officer,

• Must be “qualified individual” (ex. CISSP, CISM),

• Can be 3rd party service provider but you still need to designate

internal resource for oversight and direction,

• CISO responsible for delivering annual report to board of

directors or senior officer,

• Report describes overall health and effectiveness of

cybersecurity program and events from previous period.


Section 500.05 Pen Testing/Vuln

• Monitoring and testing of program required,

• Continuous monitoring or periodic vulnerability

assessment and penetration testing,

• Bi-annual vulnerability assessments (including scans),

• Annual penetration testing,

• Testing program details are driven by the Risk Assessment.


Section 500.06 Audit Trail

• Focus is on capturing and storing transaction data for purposes of reconstruction,

• Must be “designed to detect and respond to Cybersecurity Events”,

• Implies that Security Incident and Event Management

is in place,

• Record retention required,

• Five (5) years for financial transactions,

• Three (3) years for security audit data.


Section 500.07 Access Privileges

• User access privileges limited based upon Risk Assessment,

• Periodic review of access privileges required.


Section 500.08 Application Security

• In-house developed applications,

• Written procedures, guidelines and standards to ensure security

best practices are used,

• Externally developed applications,

• Procedures for evaluating, assessing and testing application

security,

• CISO must review documentation periodically.


Section 500.09 Risk Assessment

• One of the most critical and important components in the regulation,

• Drives the specific security activities and controls within the organization,

• Should address technical and non-technical security controls and their effectiveness,

• Risk management focus versus IT assessment.


Section 500.09 Risk Assessment

• Threat Actors and Sources

• Criminal hacker, hacktivist, malicious insider, negligent insider, script kiddie, nation state,

• Attack Vectors/Methods

• Phishing, malware, business email compromise, social engineering, technical backdoors, etc.

• Security program should address most likely threat sources and attack vectors for your organization.


Section 500.09 Risk AssessmentData Breach Scenario


1. Criminal Hacker 3. Malware Deployed

2. Phishing Email4. Device

Compromised

5. Data Exfiltrated

Section 500.09 Risk AssessmentSecurity Controls and Mechanisms


People Policy Technology

Employee Security

Awareness Training

See Section 500.03 Anti-Virus/Anti-Malware

Mock Phishing Exercises Firewalls

CISO/Cyber Expertise Network Segmentation

Security Awareness

Surveys

Multi Factor Authentication

Role Based Access

Control

Encryption

IR Tabletop Exercises Vulnerability Scans/Pen

Testing

SIEM

Note: This is not an exhaustive list but merely examples.

Section 500.10 Cyber Personnel and Intel

• “Qualified cybersecurity personnel” must be used to manage the cybersecurity program,

• Cybersecurity personnel must be regularly trained to address new risks and countermeasures,

• 3rd party service provider can be used to meet this requirement.


Section 500.11 3rd Party Service Providers

• Risk assessment procedures must be developed and updated periodically,

• 3rd party service provider assessment prioritization based upon what information systems they can access.


Section 500.12 MFA

• Multi-Factor Authentication,

• Something you know (password),

• Something you have (smartphone),

• Something you are (fingerprints),

• Must be used for individuals accessing internal network from external network,

• Equal or more secure methods can be used if approved by CISO in writing.


Section 500.13 Limitation on Data Retention

• Policies and procedures for secure disposal must be developed and implemented,

• NPI no longer necessary for business operations must be periodically disposed.


Section 500.14 Training and Monitoring

• Activity of Authorized Users must be monitored for:

• Unauthorized access or use of NPI,

• Tampering with NPI,

• “Regular” cybersecurity awareness training for allpersonnel required,

• Training should be based upon risks identified in Risk

Assessment.


Section 500.15 Encryption of NPI

• Implementation based upon Risk Assessment findings,

• NPI data at rest and in transit must be encrypted,

• If not practical compensating controls can be used if approved by CISO.


Section 500.16 Incident Response Plan

• Written IR Plan must be implemented,

• IR Plan must be updated after Cybersecurity Event occurs,

• Not required but we recommend semi-annual tabletop exercises to identify gaps and weaknesses.


Notices to Superintendent Section 500.17

• The rule contains a requirement for notification to the Superintendent of the Department.

• Notice is required no later than 72 hours after the determination that a “Cybersecurity Event” has

occurred.

• A Cybersecurity Event is defined as “an act or attempt to gain unauthorized access to, disrupt or

misuse the company’s information systems or information stored on these systems”

• The requirement for notice is if it is determined that:

• “Notice is required to be provided to any government body, self-regulatory agency or any other

supervisory body”; or

• That the Cybersecurity Events have a reasonable likelihood of causing material harm to the normal

operation of the company.

• Additional requirement for the submission of an annual written statement to the Superintendent by

February 15 of each year in relation to the events of the prior calendar year.


Section 500.18 Confidentiality

• Information provided by a Covered Entity is exempt from disclosure under Banking, Insurance, Financial Services, and Public Officers Laws.


Limited ExemptionsSection 500.19

A Covered Entity meeting the following criteria are exempt from certain provisions of the NY regulation:

Fewer than 10 employees, including any independent contractors, of the Covered Entity or its

Affiliates located in New York or responsible for business of the Covered Entity, or

Less than $5 million in gross annual revenue in each of the last three fiscal years from NY business

operations of the Covered Entity and its Affiliates, or

Less than $10 million in year-end total assets, calculated in accordance with generally accepted

accounting principles, including assets of all Affiliates shall be exempt from the following

requirements:


Exempt from

500.04(a) Designating a Chief Information Security Officer

500.04(b) Report to Board of Directors

500.05 Penetration Testing and Vulnerability Assessments

500.06 Audit trail

500.08 Application Security

500.10 Cybersecurity Personnel and Intelligence

500.12 Multifactor Authentication

500.14 Training and Monitoring

500.15 Encryption of Nonpublic Information

500.16 Incident Response Plan

• A Covered Entity that qualifies for any of the above exemptions pursuant to this section shall

file a Notice of Exemption in accordance with the regulation within 30 days of the determination that

the Covered Entity is exempt.

Section 500.20 Enforcement

• The NYDFS Superintendent has enforcement authority under existing, applicable law.

• No express private right of action.

• NYDFS has already been conducting audits of financial services orgs since 2015, which it has initiated with a cybersecurity questionnaire.


Liability Risks

• The Rule presents liability risks and exposure beyond NYDFS regulatory enforcement

• Despite lack of private right of action, Plaintiffs’ lawyers may assert the Rule as “standard of conduct” to underpin the following:

o Consumer state law claims – including class actions

o Shareholder derivative actions

o Business claims – e.g. contractual

o State and federal breach notification law claims

• Exposure underscored by reporting and certification requirements


Insurance Recommendations

• Check D&O coverage - e.g. does it cover false or inaccurate

certifications for applicable staff

• Some policies broadly exclude these types of actions

• Check E&O policies for coverage regarding 3rd Party Vendors

• Consider stand-alone cyber policy

• Other insurance issues important for data breach issues:

o The definition of a breach

o The definition of private information

o When is coverage retroactive to?

o How much of “Crisis Management” is covered?

i.e. Responding to the breach initially, investigations, etc.


Compliance Recommendations

• Utilize a formal Risk Assessment process – e.g.:

• FFIEC Cybersecurity Assessment Tool

• NIST Framework

• Thorough Risk Assessment process should be well documented, set realistic

timetables, prioritization of asset protection based upon risk and budget

• Proper governance measures –

• Cyber not just an “IT issue” – there must be buy-in and participation by

entire organization, which starts with the top

• Development of “culture of cyber-awareness”

• Use of NACD Handbook on Cyber-Risk Oversight

• Use of outside experts

• Engaging workforce education

• Third party cyber vetting and monitoring


Section 500.21 Effective Date

• The new requirements are effective as of March 1, 2017

• Covered entities are required to annually submit to the superintendent a Certification of Compliance to the Department beginning February 15, 2018


Transitional Periods Section 500.22Financial Services Institutions have been given transition periods for implementing the cybersecurity regulation.

The transition periods are highlighted below:


Section Time from 03/01/17

500.02 Cybersecurity program

500.03 Cybersecurity policy

500.04(a) Designation a Chief Information Security Officer

500.07 Access Privileges

500.10 Cybersecurity Personnel and Intelligence

500.16 Incident Response Plan

500.17 Notices to Superintendent

180 days

500.04(b) Report to Board of Directors

500.05 Penetration Testing and Vulnerability Assessments

500.09 Risk Assessment

500.12 Multifactor Authentication

500.14(b) Cybersecurity Awareness Training

1 year

500.06 Audit Trail

500.08 Application Security

500.13 Limitations on Data Retention

500.14(a) Implement Monitoring of Authorized and Unauthorized Activity

500.15 Encryption of Nonpublic Information

18 months

500.11 Third party Service Provider Security Policy 2 years

Insurance Recommendations

• The rule presents financial services firms with a variety of obligations

that could lead to liability from regulatory actions or litigation from

consumers

• Officers must now certify that their firm is compliant with the

Department’s regulations annually which leads to opportunity to

oversell a company’s protections to be compliant

• Companies will want to check that their directors and officers liability

insurance covers these potential actions or lawsuits

• Some policies broadly exclude these types of actions

• If using a third party vendor, be sure the vendor has an extensive

technology errors and omissions liability insurance policy and that it

covers cybersecurity claims


Questions?


Monique Jean, General Counsel

Strategic Compliance Partners

301-691-1307

[email protected]

Joseph Kelley III, Principal

Offit Kurman

267-338-1368

[email protected]

Robert Olsen, CEO

Compass Cyber Security

667-401-5105

[email protected]

Documents

The New York Cybersecurity Regulation: How it impacts you ...€¦ · “Department”) issued a proposed rule establishing cybersecurity requirements for financial services companies