What is the New York Cybersecurity Regulation? What you need to do to comply

Officially called 23 NYCRR 500, this regulation requires financial services firms doing business in New York to have a full security risk assessment and plan.

1 2 Page 2
Page 2 of 2

The regulation requires organizations to document and conduct assessments “in accordance with written policies and procedures.” Guidance given on those policies and procedures is vague and includes:

  • Criteria for the evaluation and categorization of identified cybersecurity risks or threats
  • Criteria for assessing the confidentiality, integrity, security, and availability of information systems and non-public information
  • Requirements for how identified risks will be mitigated or accepted

The deadline for compliance with this section of the regulation is September 1, 2018.

Use qualified, knowledgeable cybersecurity staff

Security staff—employees or contracted—must be “sufficient to manage” the covered entity’s risk and core cybersecurity functions. The regulation makes no attempt to define “sufficient to manage.” Covered entities must provide security updates and training to security personnel, and they must verify that security personnel are maintaining their knowledge of current threats and countermeasures. Again, there is no guidance on how to train or verify.

Develop a third-party service provider security policy

The regulation requires organizations to evaluate the risk posed to their information systems and data by third-party service providers as part of their overall risk assessment. They must hold those providers to a minimum security standard, which will be determined through a “due diligence process.” That standard must be written into the contract between the organization and the provider. Covered entities must also periodically evaluate the risk presented by third-party providers.

Vibbert sees the potential for companies to struggle with the audit provisions regarding third-party providers. “It has these very specific provisions about the types of due diligence you have to do, the types of questions you have to ask and the types of oversight you have to do,” she says. “Most companies have so many touchpoints with third parties that actually having a well-balanced, tiered third-party management program in place is really hard.”

The deadline for full compliance with this section of the regulation is March 1, 2019.

Implement multi-factor authentication or risk-based authentication

Each covered entity must evaluate its risk to determine which controls to use to protect against unauthorized access. Multi-factor authentication (MFA) is required for external access to the organization’s networks unless it has written permission to use a “reasonably equivalent” or more secure alternative.

This is one of the more prescriptive sections of 23 NYCRR 500, and as such it’s generating a little concern among affected organizations. Vibbert, for example, says she is also getting a lot of questions about MFA. “I don’t really see companies struggling with it so much as trying to make sure that they are complying with the risk-based authentication measures,” she says.

Limit data retention

Covered entities must be able to securely delete any non-public information that is no longer necessary for business purposes. Data that is required to be saved by law or regulation is exempt.

The deadline for compliance with this section of the regulation is September 1, 2018.

Monitor authorized users and train personnel

The New York Cybersecurity Regulation requires organizations to implement risk-based monitoring of the activity of authorized users for unauthorized access to non-public information. All personnel must receive periodic security awareness training.

The deadline for compliance with the requirement to monitor authorized users is September 1, 2018.

Encrypt non-public information

The language for this requirement is a bit fuzzy. Organizations must “implement controls, including encryption, to protect non-public information held or transmitted by the covered entity bot in transit over external networks and at rest.” However, the DFS seems to recognize the technical difficulty of meeting that standard. It allows organizations to use “effective alternative compensating controls” if encryption is unfeasible as long as the CISO reviews those controls annually.

The deadline for compliance with this section of the regulation is September 1, 2018.

Create an incident response plan

Each organization must have a written incident response (IR) plan that defines:

  • The internal processes for responding to an incident
  • The goals of the IR plan
  • The roles, responsibilities and levels of decision-making authority
  • External and internal communications and information sharing
  • Requirements for remediation of any identified weaknesses in the information systems or controls
  • Documentation and reporting on security events and IR activities
  • How to evaluate and revise the IR plan following an event

Copyright © 2018 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 hot cybersecurity trends (and 2 going cold)