Interpreting the New York State Cybersecurity Regulations

Posted on Posted in Governance, Risk Management and Compliance (GRC)
New York State has led the nation in releasing its 23 NYCRR 500 cybersecurity regulation for financial institutions. This article is aimed mostly at those institutions, to give them guidance around what can be expected of them around this regulation, but its adoption has consequences for all states as it’s likely this will be expanded nationally in the US. First, let’s clear up the fact that this legislation is a good thing. It will add more regulatory overhead in the short term but it sends a message that companies are simply not going far enough in their cybersecurity strategy. Installing a firewall and paying for network monitoring are not enough. A proper cyber defensive strategy includes people, process and technology with continuous improvement. This regulation mandates that these things are now done at a deep level, and driven by someone that has cybersecurity experience, i.e. a CISO. Even better, the regulators have understood that these roles may be hard to fill internally and they have made a provision that all aspects of the program can be outsourced, a boon to consulting companies and experienced vCISO companies. The high-level requirements are listed below:
  • Implement a cybersecurity program which includes
    • A risk assessment and management program
    • Technical controls combined with policies and procedures, including data retention, multi-factor authentication and encryption
    • A fully featured incident response program
  • Implement and maintain a full suite of information security policies,
  • Appoint a Chief Information Security Officer and security team to manage the cybersecurity program,
  • Perform annual penetration tests and bi-annual vulnerability assessments,
  • Ensure proper access control and system auditing is logged,
  • If applications are developed in-house, ensure an application security program is in place (Secure SDLC),
  • Implement and manage a Vendor/Third Party Risk Management program and
  • Ensure proper training of the security team and employees around security awareness.
Financial Institutions have the following deadlines to comply with this regulation:
  • August 28th, 2017 to comply with all sections except for those below.
  • March 1st, 2018 to have the following in place:
    • CISO appointed
    • Penetration Testing and Vulnerability Requirements
    • Multi-Factor authentication implemented
    • Encryption implemented
  • September 1st, 2018 to have a vendor management program in place
As always, it’s best not to wait until the last minute to get these controls in place.  Firms are encouraged to approach this proactively, which will also be easier on budgets when spread over the deadlines provided.