What is the New York Cybersecurity Regulation? What you need to do to comply

In March 2017, the New York State Department of Financial Services (DFS) implemented 23 NYCRR 500, generally referred to as the New York Cybersecurity Regulation. Its aim is to encourage financial services firms doing business in the state to minimize their security risks. Although many experts see the regulation as flawed, 23 NYCRR 500 is expected to set a precedent for cybersecurity laws and regulations in other states.

Given the importance of the financial services industry to New York’s economy, it’s easy to see why the DFS enacted the regulation. New York is home to many of the leading global and domestic financial institutions, which represents about 30 percent of the state’s gross domestic product (GDP). If that industry falters, New York takes a big hit in terms of revenue, jobs and reputation. The regulation enforces organizations to adhere to what the DFS considers a minimum standard set of security best practices.

Setting a cybersecurity regulation standard for the U.S.

Much like the European Union’s General Data Protection Regulation (GDPR), the New York Cybersecurity Regulation has far-ranging geographic reach.  “Because New York is such a big market, [23 NYCRR 500] will have a sweeping effect on companies within the United States headquartered outside of New York, as well as companies that are headquartered outside of the United States,” says Harley Geiger, director of public policy at Rapid7. “In this way, the regulation is similar to GDPR. A lot of U.S.-based companies, because they do business in Europe, are now finding themselves in the position where they have to comply with EU regulations.”

“Once DFS gets into the business of enforcing this law, I think you will see laws follow quickly in other states and other industries,” says Jami Vibbert, counsel with the eCommerce, Privacy, and Cybersecurity Group at law firm Venable LLC.

Another reason why the New York Cybersecurity Regulation might set a standard for the U.S.: The federal government is not expected to enact cybersecurity legislation anytime soon. “You’re seeing a degree of inertia from the federal government on cybersecurity regulation,” says Geiger. “Instead, there are multiple non-federal actors, such as states like California and New York, that are taking independent action. Because we do business in such an interconnected world, even regulations in geographically limited areas can affect a broad swath of companies.”

Geiger adds that this “patchwork of regulations” puts organizations in a difficult position of having to comply with multiple standards. “The complexity is burdensome, even if it does serve the ultimate end of strengthening cybersecurity. A more ideal situation would be a uniform set of regulations that strengthens cybersecurity but makes compliance easier to manage,” he says.

What organizations does 23 NYCRR 500 target?

A 23 NYCRR 500 “covered entity” is any person or organization that is authorized to operate in the state of New York under banking law, insurance law, or financial services law. This includes out-of-state organizations that do business in New York as well as “affiliates,” which are persons with the power to direct or influence the policies of an organization. Exemptions from all or parts of 23 NYCRR 500 include organizations that:

• have fewer than 10 employees, including contractors, of the covered entity or affiliates located in New York.
• have less than $5 million in gross annual revenue from New York operations by the covered entity and affiliates in each of the last three years.
• have less than $10 million in year-end total assets, including assets of affiliates.
• do not directly or indirectly operate, maintain, use, or control any information systems.

Organizations that take too narrow a view of the jurisdictional requirements of the regulation might place themselves at risk if they don’t submit a certification form, says Vibbert. “That’s something the DFS can easily see and track,” she says. “If they think that you are covered and you don’t certify that you are compliant, I think they may make a case out of someone who does that.”

Why 23 NYCRR 500 exists

The introduction of 23 NYCRR 500 makes it clear that the regulation is the New York DFS’s response to “the ever-growing threat posed to information and financial systems by nation-states, terrorist organizations and independent criminal actors.” The regulators believed they needed to act to protect against potential financial losses and theft of individuals’ private information.

“New York wants to be seen as innovative [in cybersecurity],” says Vibbert. “They want to be seen as the financial center of the United States, which is why I think they started with financial services. The state’s attorney general has also taken some significant moves to enforce reasonable data security measures against companies that sell products within the borders of New York state.”

What security needs to know about 23 NYCRR 500

At its core, the New York Cybersecurity Regulation is a set of security best practices that covered entities need to follow. The regulation makes clear what an organization needs to do to comply, but offers little guidance on how to implement those measures. Depending on your point of view, this is a strength or a weakness of the regulation.

Some observers believe that the regulation gives covered entities flexibility in how they implement the measures, and this allows those organizations to find a solution that’s appropriate for them. “[The DFS] doesn’t detail the technical means for a company to comply with the law, which provides some flexibility,” says Geiger. “DFS has left it up to the companies to choose their technologies to meet the security requirements.”

Others say that the vague language leaves too much room for interpretation. That could put organizations at risk of being non-compliant by doing too little or place an unnecessary burden on them if they do too much.

The New York Cybersecurity Regulation was, in fact, more prescriptive in its original draft. “The final version that was enacted pulled back from some of its prescriptive nature, but still maintained some of it,” says Vibbert. “The risks to the security community in any law that has any specific security requirements is that it becomes outdated and difficult to follow. What’s good about this law is that it does allow for a flexible approach based on a risk assessment specific to what information and systems you have.”

The DFS has also provided some flexibility in terms of what should or shouldn’t be reported. “For certain incidences, like routine hacks or malicious activity, [the DFS] does not expect a company to report that,” says Geiger. “DFS has been clear that they understand that the financial services sector is under attack all the time and not every routine hack or malicious activity needs to be reported. The company must use its own judgment in reporting serious attacks that cause potential or actual harm.”

Security teams also need to understand the DFS’s definition of non-public information. “Non-public information in this law is defined much broader than traditional definitions, which focus on personal information such as name, Social Security numbers, and the like,” says Vibbert. The New York definition of non-public information includes confidential information such as any information that could harm the company if released, she notes. “There’s far more confidential information floating around these organizations than there is personal information,” she says. “This has broadened the scope of what CISOs need to worry about.”

These are the key provisions of 23 NYCCR 500. The regulation is currently in a transition period where some sections have future dates for compliance, as noted where appropriate:

Develop a cybersecurity program

All covered entities are required to have a formal cybersecurity program to “protect the confidentiality, integrity and availability” of their information systems. This program will be based on a required risk assessment (see below), and focuses on these core functions:

• Identify and assess internal and external risks.
• Implement a defensive infrastructure along with policies and procedures to protect systems from unauthorized access, use, or other malicious acts
• Detect cybersecurity events.
• Respond to identified or detected cybersecurity events to mitigate “negative effects.”
• Recover from cybersecurity events and restore normal services.
• Fulfill regulatory reporting obligations.

All covered entities are required to document all information relevant to the cybersecurity program.

Set a cybersecurity policy

The regulation requires each covered entity to have a written cybersecurity policy that is approved by its senior management or board of directors. This policy should be based on a risk assessment. Among the areas the New York Cybersecurity regulation expects covered entities to include in the policy are data governance, asset inventory and device management, access controls and identity management, business continuity, customer data privacy, and third-party service provider management.

The New York regulation aside, Geiger is seeing greater interest among executive management to develop cybersecurity policies. “More companies are establishing cybersecurity policies,” he says. “There’s still a long way to go, however, as more traditionally non-tech companies incorporate connectivity into their products. The growing patchwork of regulation plays a role in prompting this cultural shift, as well as regular data breaches and the class-action lawsuits that follow.”

Appoint a CISO

Covered entities that don’t already have a chief information security officer (CISO) are required to designate “a qualified individual responsible for overseeing and implementing the covered entity’s cybersecurity program and enforcing its cybersecurity policy.” The CISO may be an employee of the covered entity or an affiliate, or an organization may use a third-party service provider.

The rationale for requiring a CISO role, it seems, is to give cybersecurity a seat at the executive table. “The CISO’s role should not be understated,” says Geiger. “In many ways, cybersecurity is less a technical problem and much more a management and administrative problem. Elevating the role of CISOs within organizations is only going to help.”

Perform penetration testing and vulnerability assessments

This is one of the 23 NYCRR 500 provisions that leaves much to the discretion of the covered entity. All are required to either continuously monitor or do periodic penetration testing and vulnerability assessment to determine the effectiveness of their cybersecurity program. The regulation offers no guidance as to what is an acceptable pen test or vulnerability testing methodology.

Be able to do an audit

In response to “cybersecurity events that have a reasonable likelihood of materially harming any material part of the normal operations,” a covered entity must be able to do an audit trail. The organization should also be able to reconstruct financial transactions sufficient to support normal operations.

The deadline for full compliance for this section of the regulation is September 1, 2018.

Manage access privileges

The regulation requires covered entities to limit access privileges to non-public information and to periodically review those privileges.

Ensure application security

Covered entities must have written processes and standards to ensure secure software development practices. This includes evaluating and testing software developed by a third party. Those processes and standards must be periodically reviewed the CISO or a “qualified designee.”

The regulation gives no guidance as to what those processes or standards should be. Neither does it provide any metrics to help determine whether the software is secure.

Perform a risk assessment

The risk assessment is a core function for any organization that needs to be compliant with 23 NYCRR 500. It requires covered entities to build its cybersecurity plans, policies, and processes around the outcomes of the risk assessment. They must repeat the assessment periodically (though it offers no guidance on frequency), and each organization must “allow for revision of controls to respond to technological developments and evolving threats.”

Vibbert sees the flexibility that the law provides as an advantage when it comes to doing a risk assessment. “It allows you to tailor your security controls to the findings of the risk assessment,” she says.

To best comply with the regulation and to get the most security benefit, Vibbert advises that you use the risk assessment to understand what the threats are to your business. “I think people’s understanding of what a risk assessment really is and how helpful it can be is skewed and not accurate in a lot of instances,” she says. “Really understanding what the threats to your data are and using that information to help you comply with this law in the best way will keep you from the ‘check the box’ approach.” Just having multi-factor authentication in place, saving documents to the retention period, or having a written policy that isn’t implemented won’t make your organization more secure, she adds. A thorough risk assessment can, on the other hand, help you comply with legal obligations and make your organization more secure.

The regulation requires organizations to document and conduct assessments “in accordance with written policies and procedures.” Guidance given on those policies and procedures is vague and includes:

• Criteria for the evaluation and categorization of identified cybersecurity risks or threats
• Criteria for assessing the confidentiality, integrity, security, and availability of information systems and non-public information
• Requirements for how identified risks will be mitigated or accepted

The deadline for compliance with this section of the regulation is September 1, 2018.

Use qualified, knowledgeable cybersecurity staff

Security staff—employees or contracted—must be “sufficient to manage” the covered entity’s risk and core cybersecurity functions. The regulation makes no attempt to define “sufficient to manage.” Covered entities must provide security updates and training to security personnel, and they must verify that security personnel are maintaining their knowledge of current threats and countermeasures. Again, there is no guidance on how to train or verify.

Develop a third-party service provider security policy

The regulation requires organizations to evaluate the risk posed to their information systems and data by third-party service providers as part of their overall risk assessment. They must hold those providers to a minimum security standard, which will be determined through a “due diligence process.” That standard must be written into the contract between the organization and the provider. Covered entities must also periodically evaluate the risk presented by third-party providers.

Vibbert sees the potential for companies to struggle with the audit provisions regarding third-party providers. “It has these very specific provisions about the types of due diligence you have to do, the types of questions you have to ask and the types of oversight you have to do,” she says. “Most companies have so many touchpoints with third parties that actually having a well-balanced, tiered third-party management program in place is really hard.”

The deadline for full compliance with this section of the regulation is March 1, 2019.

Implement multi-factor authentication or risk-based authentication

Each covered entity must evaluate its risk to determine which controls to use to protect against unauthorized access. Multi-factor authentication (MFA) is required for external access to the organization’s networks unless it has written permission to use a “reasonably equivalent” or more secure alternative.

This is one of the more prescriptive sections of 23 NYCRR 500, and as such it’s generating a little concern among affected organizations. Vibbert, for example, says she is also getting a lot of questions about MFA. “I don’t really see companies struggling with it so much as trying to make sure that they are complying with the risk-based authentication measures,” she says.

Limit data retention

Covered entities must be able to securely delete any non-public information that is no longer necessary for business purposes. Data that is required to be saved by law or regulation is exempt.

The deadline for compliance with this section of the regulation is September 1, 2018.

Monitor authorized users and train personnel

The New York Cybersecurity Regulation requires organizations to implement risk-based monitoring of the activity of authorized users for unauthorized access to non-public information. All personnel must receive periodic security awareness training.

The deadline for compliance with the requirement to monitor authorized users is September 1, 2018.

Encrypt non-public information

The language for this requirement is a bit fuzzy. Organizations must “implement controls, including encryption, to protect non-public information held or transmitted by the covered entity bot in transit over external networks and at rest.” However, the DFS seems to recognize the technical difficulty of meeting that standard. It allows organizations to use “effective alternative compensating controls” if encryption is unfeasible as long as the CISO reviews those controls annually.

The deadline for compliance with this section of the regulation is September 1, 2018.

Create an incident response plan

Each organization must have a written incident response (IR) plan that defines:

• The internal processes for responding to an incident
• The goals of the IR plan
• The roles, responsibilities and levels of decision-making authority
• External and internal communications and information sharing
• Requirements for remediation of any identified weaknesses in the information systems or controls
• Documentation and reporting on security events and IR activities
• How to evaluate and revise the IR plan following an event