23 NYCRR 500 Compliance: Here’s What You Need by March
This past March, the New York Department of Financial Services (NYDFS) enacted a ground-breaking set of cybersecurity regulations to which all financial institutions operating in New York state must adhere. These cybersecurity rules were the first of their kind–never before had financial services been subject to cybersecurity-specific mandates.
Now, with 2018 almost here, the deadline is rapidly approaching for financial institutions to comply with several of the requirements laid out by the NYDFS. Starting March 1, 2018, all financial institutions that qualify as “Covered Entities” must abide by certain provisions outlined in 23 NYCRR Part 500. These include:
500.05: ‘Penetration Testing and Vulnerability Assessments’
Financial institutions will be expected to perform annual penetration testing of their information systems. These tests will be based on known risks that have been identified through a formal risk assessment process (more on that later).
Section 500.05 also requires “bi-annual vulnerability assessments” with the purpose of identifying “publicly known cybersecurity vulnerabilities.” This ensures any changes made to information systems that might create or be symptomatic of a vulnerability are verified to be secure.
Continuous threat and risk monitoring–such as that provided through a security operations center (SOC) or SOC-as-a-service–is an acceptable alternative to these periodic assessments.
500.09: ‘Risk Assessment’
“Risk assessments are crucial to the development of effective security policies.”
The design of an organization’s cybersecurity program must be guided by formal, documented risk assessments of its information systems. Once cybersecurity risks are identified, policies and procedures that address those risks must be created, recorded, monitored and enforced.
Risk assessments are crucial when tailoring security policies to an organization’s particular operations. Rather than prescribing blanket policies that don’t apply to everyone, this puts the onus on institutions to do their due diligence and identify risks unique to their organization..
500.12: ‘Multi-Factor Authentication’
Financial institutions must implement specific security controls to protect non-public information from potential exposure. These controls may include certain forms of risk-based authentication as indicated through risk assessment.
Section (b) of 500.12 also specifies that any access to a financial institution’s internal network from an outside network must be guarded with multi-factor authentication.
Finally, financial institutions must establish “risk-based policies, proceduresand controls” that monitor authorized user behavior and actively detect unauthorized access or manipulation of non-public information (e.g., personally identifiable information such as names, addresses, Social Security numbers, etc.).
500.14: ‘Training and Monitoring’
Organizations must also provide periodic security training for employees. Training content is to be based on the types of risks identified via the institution’s risk assessment.
Are You Compliant?
With just a few months left in this transitional period, financial institutions must make compliance with these provisions a top priority. The challenge, though, is gaining the necessary resources and expertise to adequately address the NYDFS’s new requirements, especially those pertaining to vulnerability assessments, risk monitoring and user activity monitoring.
On the bright side, stipulations in the new regulations allow for qualified third-party service providers to manage risks and oversee cybersecurity functions. This may include a SOC-as-a-service partner capable of complying with all the provisions above.
Now is not the time to experiment in building an in-house SOC in hopes of meeting the new regulatory guidelines. Go with a pro. Team with a SOC-as-a-Service provider that knows security inside and out and can help ensure you become compliant.
Addendum: You can now download a handy checklist on the New York Department of Financial Services 23 NYCRR 500 and how the AWN CyberSOC can help you to achieve compliance from this link.