Everything You Need To Know About New York’s New DFS Cybersecurity Regulations
In early September 2016, the New York State Department of Financial Services (DFS), under the direction of Governor Andrew Cuomo, announced that a “first-in-the-nation regulation has been proposed to protect New York State from the ever-growing threat of cyber attacks.”
As of this writing, the new update is subject to public comment for a shorter, 30-day window. The latest updates, among other things, pushed back the implementation, from Jan 1, 2017 to March 1, 2017, and increased the time organizations had to comply from 90 days to 180-days after the regulations take effect. The new regulations, known as Section 500 or 23 NYCRR 500, will apply to financial services companies licensed by New York, but not to nationally chartered institutions. However, as Bloomberg News noted, because this is the first regulator issuing cybersecurity guidelines, it may impact or provide a starting point for other state or even national regulators.
This potentially wide-reaching impact is why CISOs of all industries should be paying attention to these regulations, how they’re received, and what may result from them. In this article, we’ll go over the proposed regulations and subsequent changes that occurred the first review period and what CISOs should be focused on.
New DFS Regulations Focus on Strengthening Cybersecurity Fundamentals and Third-Party Risk Management Programs
The DFS regulations, which can be found here, were originally released in September and were updated later in December following a public comment period. The new regulations cover a wide swath of requirements covering 5 major areas, as listed in a shorter document summarizing the proposed cybersecurity requirements.
- Establishment of a Cybersecurity Program
- Adoption of a Cybersecurity Policy
- Chief Information Security Officer
- Third-Party Service Providers
- Additional Requirements
Establishment and adoption of a cybersecurity policy and program include cybersecurity processes such as penetration testing, access privilege reviews, among others, similar to other guidelines and standards pertaining to information security. These requirements focus on implementing a preventive and reactive policy that can quickly recover should a security incident occur.
Regarding what an organization should adopt in their cybersecurity program, the DFS has written short sections on the following:
- Penetration Testing and Vulnerability Assessments
- Audit Trails
- Access Privileges
- Application Security
- Risk Assessments
- Cybersecurity Personnel and Intelligence
- Multi-factor Authentication
Although these requirements are best practices for any information security department, the direct attention to CISOs and Third-Party Service Providers prompts further exploration.
The DFS Regulations state that all ‘Covered Entities’ (organizations subject to the regulation) must designate a CISO who must report, in writing, to the board the efficacy of the organization’s cybersecurity policy, material risks, and integrity of its systems annually.
Third-Party Risk Management Requirements Become More Stringent
Regarding Third-Parties, the regulations have an extensive section dedicated to having organizations “implement written policies and procedures designed to ensure the security of Information Systems and Nonpublic Information that are accessible to, or held by, Third-Party Service Providers.”
The DFS list of third-party security regulations focus on identifying and assessing the risk of third-parties (something we covered here), requiring them to meet minimum cybersecurity practices, engaging in third-party due diligence and periodic assessment, and “continued adequacy” of cybersecurity practices, among others.
These additions were based on a report on third-party service providers in the banking sector that the NY DFS published in April 2015, updating a previous May 2014 report. In it, the DFS found that 95% of the surveyed banking organizations conduct specific information security risk assessments with high-risk vendors and that 90% have information security requirements for third-parties.
However, once we get into more mature third-party risk management processes, not every organization adheres to best practices. Of the banking organizations surveyed, 21% do not require third-parties to represent that they have established minimum information security requirements and only 36% have information security requirements that extend to third-party subcontractors (also known as fourth-parties).
Regarding the protection of sensitive data, 90% of organizations encrypt data transmitted to or from third-parties but only 38% use encryption for data at rest, which is often the data at risk as it is targeted by attackers who are looking to access sensitive information within an organization’s network.
This third-party report provides insight into the DFS’ perspective on third-party risk management and future updates can serve as an indication for how the DFS may shift and add regulatory requirements to their third-party risk management section of the regulation proposal.
New DFS Regulations Set The Future Direction of Compliance, All CISOs Should Take Notice
These regulations will be followed by a number of other regulatory and industry standard organizations as an example of cybersecurity best practices that other financial institutions and organizations may have to follow. CISOs in financial institutions who are directly impacted by the new DFS regulations should take the necessary steps to reach compliance and can submit their first annual certification to the DFS by February 15, 2018.
We recommend all CISOs do the following:
Pay close attention to the next update
The next, and final, version of the DFS regulations is slated to come out after the end of the review period, which ended in mid-January and will be implemented on March 1st. CISOs should pay attention to the changes from the most recent version, which will reflect the comments and feedback made by other financial organizations. This is directly related to our next point.
Understand the trend
One of the revisions made between the DFS regulations is how often CISOs were required to report to the board of directors. Initially, the cadence required that a CISO reported to their board twice a year. The most recent update has shifted from a biannual reporting requirement to an annual reporting requirement an organization’s best move is to engage in continuous risk monitoring in order to be able to report to the board as needed regardless of the required reporting cadence which may change over time.
Identify the focus areas
The biggest takeaway from the DFS regulations is the attention on third-party risk management. As breaches are increasingly attributed to third parties or subcontractors, the importance of third-party risk management from an information security standpoint has been rightly highlighted by a number of regulatory and guiding standards. CISOs must prepare for the likelihood that future updates or other regulations based off the DFS will have the same requirements regarding third-parties, if not more.
Get ahead of the regulations
CISOs should be proactive and follow many of these guidelines and requirements, even if they’re not subject to them. The financial industry is the most regulated from a cybersecurity standpoint because they have the highest likelihood of being targeted by hackers. By modeling your information security system on the DFS guidelines, you’re ensuring that your level of security is ahead of your industry. Then, if updates to existing regulations are published that are based on the DFS regulations, your organization is already prepared and compliant.
The financial and security industries are looking at the new DFS regulations with a close eye. The next update will set in place how major institutions will be regulated and how organizations react and adhere to these regulations will set a tone for future updates and related regulatory actions. Like with information security as a whole, CISOs should practice proactivity in regards to these regulations, not only for compliance’s sake but for security’s sake.