What is the New York Cybersecurity Regulation? What you need to do to comply

Officially called 23 NYCRR 500, this regulation requires financial services firms doing business in New York to have a full security risk assessment and plan.

nycrr cybersecurity gavel regulation compliance law nyc statue of liberty
Getty Images

In March 2017, the New York State Department of Financial Services (DFS) implemented 23 NYCRR 500, generally referred to as the New York Cybersecurity Regulation. Its aim is to encourage financial services firms doing business in the state to minimize their security risks. Although many experts see the regulation as flawed, 23 NYCRR 500 is expected to set a precedent for cybersecurity laws and regulations in other states.

Given the importance of the financial services industry to New York’s economy, it’s easy to see why the DFS enacted the regulation. New York is home to many of the leading global and domestic financial institutions, which represents about 30 percent of the state’s gross domestic product (GDP). If that industry falters, New York takes a big hit in terms of revenue, jobs and reputation. The regulation enforces organizations to adhere to what the DFS considers a minimum standard set of security best practices.

Setting a cybersecurity regulation standard for the U.S.

Much like the European Union’s General Data Protection Regulation (GDPR), the New York Cybersecurity Regulation has far-ranging geographic reach.  “Because New York is such a big market, [23 NYCRR 500] will have a sweeping effect on companies within the United States headquartered outside of New York, as well as companies that are headquartered outside of the United States,” says Harley Geiger, director of public policy at Rapid7. “In this way, the regulation is similar to GDPR. A lot of U.S.-based companies, because they do business in Europe, are now finding themselves in the position where they have to comply with EU regulations.”

“Once DFS gets into the business of enforcing this law, I think you will see laws follow quickly in other states and other industries,” says Jami Vibbert, counsel with the eCommerce, Privacy, and Cybersecurity Group at law firm Venable LLC.

Another reason why the New York Cybersecurity Regulation might set a standard for the U.S.: The federal government is not expected to enact cybersecurity legislation anytime soon. “You’re seeing a degree of inertia from the federal government on cybersecurity regulation,” says Geiger. “Instead, there are multiple non-federal actors, such as states like California and New York, that are taking independent action. Because we do business in such an interconnected world, even regulations in geographically limited areas can affect a broad swath of companies.”

Geiger adds that this “patchwork of regulations” puts organizations in a difficult position of having to comply with multiple standards. “The complexity is burdensome, even if it does serve the ultimate end of strengthening cybersecurity. A more ideal situation would be a uniform set of regulations that strengthens cybersecurity but makes compliance easier to manage,” he says.

What organizations does 23 NYCRR 500 target?

A 23 NYCRR 500 “covered entity” is any person or organization that is authorized to operate in the state of New York under banking law, insurance law, or financial services law. This includes out-of-state organizations that do business in New York as well as “affiliates,” which are persons with the power to direct or influence the policies of an organization. Exemptions from all or parts of 23 NYCRR 500 include organizations that:

  • have fewer than 10 employees, including contractors, of the covered entity or affiliates located in New York.
  • have less than $5 million in gross annual revenue from New York operations by the covered entity and affiliates in each of the last three years.
  • have less than $10 million in year-end total assets, including assets of affiliates.
  • do not directly or indirectly operate, maintain, use, or control any information systems.

Organizations that take too narrow a view of the jurisdictional requirements of the regulation might place themselves at risk if they don’t submit a certification form, says Vibbert. “That’s something the DFS can easily see and track,” she says. “If they think that you are covered and you don’t certify that you are compliant, I think they may make a case out of someone who does that.”

Why 23 NYCRR 500 exists

The introduction of 23 NYCRR 500 makes it clear that the regulation is the New York DFS’s response to “the ever-growing threat posed to information and financial systems by nation-states, terrorist organizations and independent criminal actors.” The regulators believed they needed to act to protect against potential financial losses and theft of individuals’ private information.

“New York wants to be seen as innovative [in cybersecurity],” says Vibbert. “They want to be seen as the financial center of the United States, which is why I think they started with financial services. The state’s attorney general has also taken some significant moves to enforce reasonable data security measures against companies that sell products within the borders of New York state.”

What security needs to know about 23 NYCRR 500

At its core, the New York Cybersecurity Regulation is a set of security best practices that covered entities need to follow. The regulation makes clear what an organization needs to do to comply, but offers little guidance on how to implement those measures. Depending on your point of view, this is a strength or a weakness of the regulation.

Some observers believe that the regulation gives covered entities flexibility in how they implement the measures, and this allows those organizations to find a solution that’s appropriate for them. “[The DFS] doesn't detail the technical means for a company to comply with the law, which provides some flexibility,” says Geiger. “DFS has left it up to the companies to choose their technologies to meet the security requirements.”

Others say that the vague language leaves too much room for interpretation. That could put organizations at risk of being non-compliant by doing too little or place an unnecessary burden on them if they do too much.

The New York Cybersecurity Regulation was, in fact, more prescriptive in its original draft. “The final version that was enacted pulled back from some of its prescriptive nature, but still maintained some of it,” says Vibbert. “The risks to the security community in any law that has any specific security requirements is that it becomes outdated and difficult to follow. What’s good about this law is that it does allow for a flexible approach based on a risk assessment specific to what information and systems you have.”

The DFS has also provided some flexibility in terms of what should or shouldn’t be reported. “For certain incidences, like routine hacks or malicious activity, [the DFS] does not expect a company to report that,” says Geiger. “DFS has been clear that they understand that the financial services sector is under attack all the time and not every routine hack or malicious activity needs to be reported. The company must use its own judgment in reporting serious attacks that cause potential or actual harm.”

Security teams also need to understand the DFS’s definition of non-public information. “Non-public information in this law is defined much broader than traditional definitions, which focus on personal information such as name, Social Security numbers, and the like,” says Vibbert. The New York definition of non-public information includes confidential information such as any information that could harm the company if released, she notes. “There’s far more confidential information floating around these organizations than there is personal information,” she says. “This has broadened the scope of what CISOs need to worry about.”

These are the key provisions of 23 NYCCR 500. The regulation is currently in a transition period where some sections have future dates for compliance, as noted where appropriate:

Develop a cybersecurity program

All covered entities are required to have a formal cybersecurity program to “protect the confidentiality, integrity and availability” of their information systems. This program will be based on a required risk assessment (see below), and focuses on these core functions:

  • Identify and assess internal and external risks.
  • Implement a defensive infrastructure along with policies and procedures to protect systems from unauthorized access, use, or other malicious acts
  • Detect cybersecurity events.
  • Respond to identified or detected cybersecurity events to mitigate “negative effects.”
  • Recover from cybersecurity events and restore normal services.
  • Fulfill regulatory reporting obligations.

All covered entities are required to document all information relevant to the cybersecurity program.

Set a cybersecurity policy

The regulation requires each covered entity to have a written cybersecurity policy that is approved by its senior management or board of directors. This policy should be based on a risk assessment. Among the areas the New York Cybersecurity regulation expects covered entities to include in the policy are data governance, asset inventory and device management, access controls and identity management, business continuity, customer data privacy, and third-party service provider management.

The New York regulation aside, Geiger is seeing greater interest among executive management to develop cybersecurity policies. “More companies are establishing cybersecurity policies,” he says. “There’s still a long way to go, however, as more traditionally non-tech companies incorporate connectivity into their products. The growing patchwork of regulation plays a role in prompting this cultural shift, as well as regular data breaches and the class-action lawsuits that follow.”

Appoint a CISO

Covered entities that don’t already have a chief information security officer (CISO) are required to designate “a qualified individual responsible for overseeing and implementing the covered entity’s cybersecurity program and enforcing its cybersecurity policy.” The CISO may be an employee of the covered entity or an affiliate, or an organization may use a third-party service provider.

The rationale for requiring a CISO role, it seems, is to give cybersecurity a seat at the executive table. “The CISO’s role should not be understated,” says Geiger. “In many ways, cybersecurity is less a technical problem and much more a management and administrative problem. Elevating the role of CISOs within organizations is only going to help.”

Perform penetration testing and vulnerability assessments

This is one of the 23 NYCRR 500 provisions that leaves much to the discretion of the covered entity. All are required to either continuously monitor or do periodic penetration testing and vulnerability assessment to determine the effectiveness of their cybersecurity program. The regulation offers no guidance as to what is an acceptable pen test or vulnerability testing methodology.

Be able to do an audit

In response to “cybersecurity events that have a reasonable likelihood of materially harming any material part of the normal operations,” a covered entity must be able to do an audit trail. The organization should also be able to reconstruct financial transactions sufficient to support normal operations.

The deadline for full compliance for this section of the regulation is September 1, 2018.

Manage access privileges

The regulation requires covered entities to limit access privileges to non-public information and to periodically review those privileges.

Ensure application security

Covered entities must have written processes and standards to ensure secure software development practices. This includes evaluating and testing software developed by a third party. Those processes and standards must be periodically reviewed the CISO or a “qualified designee.”

The regulation gives no guidance as to what those processes or standards should be. Neither does it provide any metrics to help determine whether the software is secure.

Perform a risk assessment

The risk assessment is a core function for any organization that needs to be compliant with 23 NYCRR 500. It requires covered entities to build its cybersecurity plans, policies, and processes around the outcomes of the risk assessment. They must repeat the assessment periodically (though it offers no guidance on frequency), and each organization must “allow for revision of controls to respond to technological developments and evolving threats.”

Vibbert sees the flexibility that the law provides as an advantage when it comes to doing a risk assessment. “It allows you to tailor your security controls to the findings of the risk assessment,” she says.

To best comply with the regulation and to get the most security benefit, Vibbert advises that you use the risk assessment to understand what the threats are to your business. “I think people’s understanding of what a risk assessment really is and how helpful it can be is skewed and not accurate in a lot of instances,” she says. “Really understanding what the threats to your data are and using that information to help you comply with this law in the best way will keep you from the ‘check the box’ approach.” Just having multi-factor authentication in place, saving documents to the retention period, or having a written policy that isn’t implemented won’t make your organization more secure, she adds. A thorough risk assessment can, on the other hand, help you comply with legal obligations and make your organization more secure.

Related:
1 2 Page 1
Page 1 of 2
The 10 most powerful cybersecurity companies