The one-year transitional period under the New York Department of Financial Services (NYDFS) Cybersecurity Requirements for Financial Services Companies expired on March 1, 2018. Financial services companies that are regulated by NYDFS now face additional requirements for assessing, monitoring, testing and reporting on the integrity and security of their information systems and the overall effectiveness of their cybersecurity programs.
Overview of New York Cybersecurity Regulations
The NYDFS cybersecurity regulations became effective on March 1, 2017, and the initial 180-day transitional period expired on August 28, 2017. The regulations that took effect last year require all covered entities to implement a cybersecurity program that identifies and protects against cybersecurity risks and adopt comprehensive policies and procedures for the protection of the company’s information systems and nonpublic information. The cybersecurity regulations apply to any organization operating under or required to operate under a NYDFS license, registration, charter, certificate, permit, accreditation or similar authorization under the New York Banking Law, Insurance Law or Financial Services Law. Click here for more information about the requirements of the regulations that took effect last year.
Additional Actions Required to Achieve Compliance
On March 1, 2018, additional requirements under the cybersecurity regulations took effect. In addition to the requirements that took effect last year, covered entities that are subject to the cybersecurity regulations must implement the following additional cybersecurity measures:
- Annual Report to Board of Directors. Direct the company’s Chief Information Security Officer (CISO) to submit an annual written report to the company’s board of directors. This report should consider the confidentiality of nonpublic information and the integrity and security of the company’s information systems; the company’s cybersecurity policies and procedures; material cybersecurity risks to the company; overall effectiveness of the company’s cybersecurity program; and material cybersecurity events involving the company during the time period addressed by the report.
- NYDFS emphasizes that a well-informed board is a crucial part of an effective cybersecurity program. The CISO’s reporting to the full board is important to enable the board to assess the company’s governance, funding, structure and effectiveness as well as compliance with the cybersecurity regulation. Therefore, this requirement may not be met by reporting to an authorized subcommittee of the board.
- Periodic Risk Assessments. Conduct and document a periodic risk assessment sufficient to inform the design of a cybersecurity program as required by the cybersecurity regulations. The risk assessment is an integral requirement of the cybersecurity regulations.
- The risk assessment must consider the particular risks of the company’s business operations related to cybersecurity, nonpublic information collected or stored, information systems utilized and the availability and effectiveness of controls to protect nonpublic information and information systems.
- In addition, the risk assessment must be carried out in accordance with written policies and procedures that include criteria for the evaluation and categorization of identified cybersecurity risks or threats; criteria for the assessment of the confidentiality, integrity, security and availability of the company’s information systems and nonpublic information, including the adequacy of existing controls in the context of identified risks; and requirements describing how identified risks will be mitigated or accepted based on the risk assessment and how the cybersecurity program will address these risks.
- Training. Provide regular cybersecurity awareness training for all personnel that is updated to reflect risks identified in the periodic risk assessment. The training must be sufficient to address relevant cybersecurity risks and changing cybersecurity threats and countermeasures.
- Penetration Testing or Continuous Monitoring. Implement monitoring and testing, developed in accordance with the company’s risk assessment, designed to assess the effectiveness of the company’s cybersecurity program. This testing must include annual penetration testing of the company’s information systems determined each given year based on relevant identified risks in accordance with the risk assessment. It also must include bi-annual vulnerability assessments, including any systematic scans or reviews of information systems reasonably designed to identify publicly known cybersecurity vulnerabilities in the company’s information systems based on the risk assessment.
- “Penetration testing” is a test methodology in which assessors attempt to circumvent or defeat the security features of an information system by attempting penetration of databases or controls from outside or inside the company’s information systems. Penetration testing is often conducted by a “white hat” ethical computer hacker who specializes in penetration testing and in other testing methodologies to ensure the security of an organization’s information systems.
- The regulations require covered entities to have a plan in place that provides for penetration testing to be done as appropriate to address the risks of the company, but the first vulnerability assessment need not have been concluded before March 1, 2018, provided that robust penetration testing and vulnerability assessment are completed in a timely manner.
- Alternatively, this requirement may be met through effective continuous monitoring, or other systems to detect, on an ongoing basis, changes in information systems that may create or indicate the existence of cybersecurity vulnerabilities or malicious activity. Effective continuous monitoring may be attained through a variety of technical and procedural tools, controls and systems, and there is no specific technology that is required to be used in order to have an effective continuous monitoring program. In contrast, non-continuous monitoring of information systems, such as through periodic manual review of logs and firewall configurations, would not be considered to constitute “effective continuous monitoring” for purposes of the regulations.
- Multi-Factor Authentication. Institute the use of multi-factor authentication and risk-based authentication (or other effective controls to protect against unauthorized access to nonpublic information or information systems). Multi-factor authentication must be utilized for any individual accessing internal networks from an external network, unless the CISO has approved in writing the use of reasonably equivalent or more secure access controls.
- “Multi-factor authentication” consists of authentication through verification of at least two of the following types of authentication factors: (1) knowledge factors (something you know), such as a password; (2) possession factors (something you have), such as a token or text message on a mobile phone; and (3) inherence factors (something you are), such as a biometric characteristic.
- “Risk-based authentication” consists of a risk-based system of authentication that detects anomalies or changes in the normal use patterns of a person and requires additional verification of the person’s identity when deviations or changes are detected, such as through the use of “challenge questions.”
Annual Certification of Compliance
Covered entities are now required to submit an annual written statement to the superintendent of NYDFS certifying compliance with the regulation for the prior calendar year by no later than February 15 of each year. If the certification identifies areas, systems, or processes that require material improvement, updating or redesign, the company must document the identification and the remedial efforts planned and underway to address such areas, systems or processes.
A company may not submit a certification unless the it is in compliance with all applicable requirements of the cybersecurity regulations at the time of certification, and NYDFS has stated that it “expects full compliance with this regulation.” This certification must be personally signed by the chairperson of the board of directors or the senior officer(s) who are responsible for the management, operations, security, information systems, compliance and/or risk of the company.
Certifications of compliance should be filed electronically via the NYDFS Web Portal. The first filing deadline expired on February 15, 2018.
Future Compliance Deadlines for Remaining Requirements
The next compliance deadline for the cybersecurity regulations will expire on September 3, 2018 and will require covered entities to implement a cybersecurity audit system, secure development practices for in-house developed applications, limitations on data retention, risk-based controls and encryption of non-public information. The final compliance deadline will expire on March 1, 2019 and will require covered entities to implement policies and procedures that address the cybersecurity practices of third party service providers.