23 NYCRR 500 – The deadline has passed, but there’s still time.

The New York Department of Financial Services announced a new cybersecurity regulation (23 NYCRR 500), on March 1st, 2017, due to the increase of consistency and sophistication of cyber attacks over recent years. In fairness, much of the requirements are “standard issue” in most compliance frameworks, lack of adherence to applicable New York businesses will result in fines.  Even with continual extensions, the deadline for compliance was set as February 15, 2018.

Like other initiatives, such as DFARS and PTC, we are seeing entities struggle to meet the requirements.

As an IT Professional or business in the financial industry, a whole new level of responsibility has been forced onto your shoulders, whether based in New York or in a company that operates within the State.

For most Security Professionals, this will be “business as usual” as the majority of the requirements are clearly defined in NIST 800 documents.  In short, nothing to see here, move along…

For others, this new regulation comes as a response to closely monitored and growing threats posed to information and financial systems. Though initially attributed to nation-states, Critical Path Security has observed a greater amount of attacks stemming from independent groups. Unfortunately, we’ve also observed a lack of adherence to common security practices without strict enforcement of a regulatory standard.

Based on the recent successful attacks against prominent financial institutions, this regulation is designed to promote the protection of customer information as well as the information
technology systems of regulated entities. This regulation requires each company to assess its specific risk profile and design a program that addresses its risks in a robust fashion.

This is not an insignificant effort.  At the very minimum, the entity must create a criteria for the  evaluation and categorization of identified cybersecurity risks or threats facing your information system; for the assessment of the confidentiality, integrity, security and availability of your information systems and nonpublic information, including the adequacy of existing controls in the context of identified risks; and requirements describing how identified risks will be mitigated (500.16) or accepted based on the Risk Assessment and how the cybersecurity program will address the risks.

What does that even mean?

It means, companies must commit time and resources to properly understanding the risk associated with the information they process and store about individuals and businesses.

The Risk Assessment (500.09) will help an entity determine exactly what needs the most attention, which provides a greater return to the efforts.  If threats are more likely to be targeted at a particular service, additional efforts can be focused on securing those assets inside the entity’s network.  As available resources for these activities are often scarce, Critical Path Security highly recommends performing sufficient amounts of discovery and planning.

Critical Path Security can provide an introductory checklist for all entities that are subjected to this new regulation. Contact CPS at compliance@criticalpathsecurity.com.

Someone must be declared as the Chief Information Security Officer (500.04). These people are in high demand and command a hefty salary for the assumed risk and responsibility.  Fortunately, this role can be outsourced to a company like Critical Path Security, levering the vCISO offering.

Additional Cybersecurity Personnel and Intelligence (500.10) will likely be required to support the day-to-day responsibilities of security the entity’s networks.  Again, this service can be outsourced to a Managed Security Service Provider (MSSP), such as Critical Path Security.

The next required step is to build a Cybersecurity Program (500.02 and 500.03).  Definitely the most time-consuming effort towards compliance. The program covers how data and systems will be protected and must be based on the completed Risk Assessment. We highly recommend leveraging professional services or guidance from an outside firm, if you don’t have sufficient internal resources.

The program outlines how you will detect events, respond to them, and remediate any damage and report incidents. Along with creating a library of supporting policies, the program creates the foundation for not only compliance with this NY requirement but an entire overarching cybersecurity strategy.

The following topics are specifically required and Critical Path Security can offer assistance in developing these:

Information Security
Data Governance and Classification
Asset Inventory and Device Management
Access Controls and Identity Management
Business Continuity and Disaster Recovery Planning
Systems Operations and Availability Concerns
Systems and Network Security
Systems and Network Monitoring
Systems and Application Development and Quality Assurance
Physical Security and Environmental Controls
Customer Data Privacy
Vendor and Third Party Service Provider Management
Risk Assessment
Incident Response

Needless to say… It’s a lot.

To assure that your program is effective, NYCRR requires that Penetration Testing (500.05) be routinely executed. This is not a one-time deal and the ongoing monitoring must include continuous monitoring (500.14) or periodic vulnerability assessments. Without effective continuous monitoring, or other systems to detect, on an ongoing basis, changes in Information Systems that may create and introduce new vulnerabilities. Critical Path Security can provide these services on a continual basis.

Additionally, entities will need to provide necessary control of Access Privileges (500.07), simply explained as maintaining a “need to know” access level, while providing a means of providing an Audit Trail (500.06).  In the event of an incident, the Audit Trail will provide the means of forensically reconstructing the events that led to a breach and supply the opportunity to locate the initial point of compromise. The entity should routinely review the Access Privileges provided to users and group, in order to prevent what we refer to as, “Permissions Creep”. This review should also assure adherence to the Limitations on Data Retention (500.13), which should provide policies and procedures around the periodic disposal of sensitive information.

As we say at Critical Path Security, you’d don’t have to secure what you don’t have.

Should you find your entity breached, the development of an Incident Response Plan (500.16) will define every aspect of responding and remediating security breaches. From the roles personnel will play, how communications are handled, to evaluation and revision of the plan after an event. This plan should also include routine Tabletop Testing to assure that active participants are well trained.

If by chance, your entity is involved in the development of custom software, the Cybersecurity program must include written procedures, guidelines, and standards designed to ensure the use of security SDLC practices for in-house developed applications. This assures compliance with Application Security (500.08).

As with all regulatory frameworks, some exemptions could apply. We recommend taking a cautious approach when determining if your entity is exempt. Those exemptions are outlined below.

Fewer than 10 employees(Including independent contractors)
Less than $10 Million in year-end total assets
Less than $5 million in gross revenue

As clearly outlined above, this is a significant amount of responsibility being placed on Financial Service Companies operating in New York.  Fortunately, you don’t have to face it alone. Critical Path Security is well-versed in helping entities just like your’s in becoming compliant and providing greater overall security and stability.

The associated document can be viewed here.


Leave a Reply