Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

New York Department of Financial Services Cybersecurity Regulations

999 views

Published on

Getting in Shape – NYDFS Cyber Security Regulations Webinar
Presenters: Shawn Tuma, Cybersecurity & Data Protection Attorney, Scheef & Stone LLP | Bill Belcher, VP Americas, Boldon James In an initiative to protect New York’s financial services industry, a new State regulation has been introduced to protect consumers and financial institutions from cyber-attacks. Effective March 1, 2017, this risk-driven regulation requires all financial services institutions regulated by the Department of Financial Services (DFS) to establish and maintain a cyber security program that will protect both customers’ private data and the technology that supports this. The impact stretches down through the supply chain, as any organization that conducts business with the NYC financial services sector has to adopt the same level of data protection.
Watch this webcast to learn:
The key requirements of the NYC Cyber security regulation
How compliance is about process first, then people and technology
What organizations need to be doing to ensure they comply
How data classification can help ensure compliance

NYDFS Cybersecurity Regulations (23 NYCRR 500) New York is one of the biggest financial hubs in the world; as you can imagine where there is sensitive financial information, there are people who want to get their hands on it. It is for this reason major financial firms operating in New York will face stiff cyber security obligations under the new New York Department of Financial Services Cybersecurity Regulations (23 NYCRR 500). This regulation will apply to firms holding a banking, insurance or financial services licence to operate in New York. 23 NYCRR 500 has been effective as of March 1st 2017, although firms have 180 days from this introduction date to change internal systems in order to meet new compliance and regulation standards. This fact sheet outlines:
23 NYCRR 500 overview
Key dates for covered entities
Key tasks for compliance
How Boldon James can help
Please complete the adjoining form to request it.

Published in: Law
  • Be the first to comment

  • Be the first to like this

New York Department of Financial Services Cybersecurity Regulations

  1. 1. Cybersecurity Regulations Getting in Shape: New York Department of Financial Services Bill Belcher VP Americas, Boldon James Shawn Tuma Cybersecurity & Data Privacy Attorney, Scheef & Stone General Counsel, Cyber Future Foundation
  2. 2. “Security and IT protect companies’ data; Legal protects companies from their data.” -Shawn Tuma
  3. 3. “Classification is the foundation for all data security, including DLP. Without data classification in play, it’s impossible to know what data to protect.” -Boldon James
  4. 4. Introduction • Cybersecurity threat is ubiquitous. • New York is a major international financial hub. • New York Department of Financial Services (DFS) • Developed Proposed Cybersecurity Requirements for Financial Services Companies. • Released for comment on September 13, 2016 • Effective date 1/1/17; enforcement date 7/1/17) • Comments resulted in substantial revision • Revised Cybersecurity Requirements for Financial Services Companies (Cybersecurity Regulations) • Released final on December 28, 2016 • Effective date 3/1/17; enforcement date 8/28/17 • 23 NYCRR 500 • Exemption MechanismNEW YORK DEPARTMENT OF FINANCIAL SERVICES CYBERSECURITY REGULATIONS
  5. 5. Key dates for Covered Entities March 1, 2017 Law becomes effective August 28, 2017 Must be in compliance September 27, 2017 Deadline for filing Notices of Exemption under 23 NYCRR 500.19(e) February 15, 2018 Deadline for Covered Entities to submit first certification under 23 NYCRR 500.17(b) March 1, 2018 One year transition period ends, must be in compliance with sections 500.04(b), 500.05, 500.09, 500.12, and 500.14(b) September 3, 2018 Eighteen month transition period ends, must be in compliance with sections 500.06, 500.08, 500.13, 500.14(a), and 500.15 March 1, 2019 Two year transition period ends, must be in compliance with section 500.11 NEW YORK DEPARTMENT OF FINANCIAL SERVICES CYBERSECURITY REGULATIONS
  6. 6. Which businesses are impacted? • The Cybersecurity Regulations can impact businesses globally, even if they do not do business in New York. • Apply directly to any Covered Entity. • Apply indirectly to Third Party Service Provider(s) of the Covered Entity, through requirements on the Covered Entity to do business with the Third Party Service Provider. NEW YORK DEPARTMENT OF FINANCIAL SERVICES CYBERSECURITY REGULATIONS
  7. 7. Which businesses are impacted? • Covered Entity means any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking law, the Insurance Law or the Financial Services Law. • Person is any non-governmental entity. • Covered Entities include these doing business in NY: • Banks and trust companies • Credit unions • Foreign bank branches • Licensed lenders • Health insurers • Life insurance companies • Property and casualty • Insurance companies • Licensed agents & brokers • Savings and loan associations • Bail bond agents • Budget planners • Charitable foundations • Check cashers • Holding companies • Investment companies • Money transmitters • New York State Regulated Corporations • Service Contract Providers (198 on website lookup) NEW YORK DEPARTMENT OF FINANCIAL SERVICES CYBERSECURITY REGULATIONS
  8. 8. Which businesses are impacted? Exemptions – These Covered Entities are exempt from all, or designated parts of Cybersecurity Regulations, but must file for exemption: • Exemption from certain sections is available to Covered Entities with: • Fewer than 10 employees, including independent contractors, of the CE or its Affiliates located in NY or responsible for business of the CE; • Less than $5,000,000 in gross annual revenue in each of the last three fiscal years from New York business operations of the CE and its Affiliates; or • Less than $10,000,000 in year-end total assets, calculated in accordance with generally accepted accounting principles, including assets of all Affiliates. • An employee, agent, representative or designee of a CE covered under its cybersecurity program. • A CE that has no Information System or Nonpublic Information and is not required to, exempt from certain sections. • Additional discrete exemptions. NEW YORK DEPARTMENT OF FINANCIAL SERVICES CYBERSECURITY REGULATIONS
  9. 9. Which businesses are impacted? • Third Party Service Provider(s) means “a Person that (i) is not an Affiliate of the Covered Entity, (ii) provides services to the Covered Entity, and (iii) maintains, processes or otherwise is permitted access to Nonpublic Information through its provision of services to the Covered Entity. • Nonpublic Information is all electronic information that is not publicly available and is sensitive business information of the Covered Entity, sensitive identifying information of an individual, or health care related information of an individual. • Section 500.11 requires a Covered Entity to ensure its Information Systems and Nonpublic Information are secured when accessed by or entrusted to TPSPs by risk assessments, written policies and procedures, contractual protections, representations and warranties, due diligence, and periodic assessments of the TPSP for adequacy. NEW YORK DEPARTMENT OF FINANCIAL SERVICES CYBERSECURITY REGULATIONS
  10. 10. Key Defined Terms • Cybersecurity Event means any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an Information System or information stored on such Information System. • Information System means a discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of electronic information, as well as any specialized system such as industrial/process control systems, telephone switching and private branch exchange systems, and environmental control systems. • Nonpublic Information is all electronic information that is not publicly available and is sensitive business information of the Covered Entity, sensitive identifying information of an individual, or health care related information of an individual. • Third Party Service Provider(s) means “a Person that (i) is not an Affiliate of the Covered Entity, (ii) provides services to the Covered Entity, and (iii) maintains, processes or otherwise is permitted access to Nonpublic Information through its provision of services to the Covered Entity.NEW YORK DEPARTMENT OF FINANCIAL SERVICES CYBERSECURITY REGULATIONS
  11. 11. What do the Cybersecurity Regulations require, generally? They provide an outline of essential minimum standards, designate who should lead the process, and mandate top down buy-in by management and the Board of Directors: 1. Each Covered Entity must assess its unique risk profile and design a program that addresses its risks in a robust fashion. 2. Each Covered Entity must designate a qualified individual to serve as its Chief Information Security Officer responsible for overseeing and implementing its cybersecurity program. 3. Each Covered Entity’s senior management must be responsible for its cybersecurity program and file an annual certification confirming compliance with the Cybersecurity Regulations. NEW YORK DEPARTMENT OF FINANCIAL SERVICES CYBERSECURITY REGULATIONS
  12. 12. Cybersecurity Program Section 500.02 “Each Covered Entity shall maintain a cybersecurity program designed to protect the confidentiality, integrity and availability of the Covered Entity’s Information Systems.” • Shall be based on its Risk Assessment and designed to perform these core functions: • Identify and assess internal and external risks; • Use defensive infrastructure and policies and procedures to protect IS and NPI from unauthorized access, use, or malicious acts; • Detect Cybersecurity Events; • Respond to identified or detected Cybersecurity Events and mitigate negative effects; • Recover from Cybersecurity Events and restore normal operations and services; and • Fulfill applicable regulatory reporting obligations. • Keep documentation; May adopt Affiliate’s CP.NEW YORK DEPARTMENT OF FINANCIAL SERVICES CYBERSECURITY REGULATIONS
  13. 13. Cybersecurity Policy Section 500.03 “Each Covered Entity shall implement and maintain a written policy or policies, approved by a Senior Officer or the Covered Entity’s board of directors … setting forth the Covered Entity’s policies and procedures for the protection of its” IS and NPI. • Shall be based on its Risk Assessment and address these areas, as applicable: • Information security • Data governance and classification • Asset inventory and device management • Access controls and identity management • Business continuity and disaster recovery planning and resources • Systems operations and availability concerns • Systems and network security • Systems and network monitoring • Systems and application development and quality assurance • Physical security and environmental controls • Customer data privacy • Vendor and Third Party Service Provider management • Risk assessment; and • Incident response NEW YORK DEPARTMENT OF FINANCIAL SERVICES CYBERSECURITY REGULATIONS
  14. 14. Chief Information Security Officer Section 500.04 “Each Covered Entity shall designate a qualified individual responsible for overseeing and implementing the Covered Entity’s cybersecurity program and enforcing its cybersecurity policy….” • CISO may be employee of CE or Affiliate, or • May use Third Party Service Provider, but CE shall • Retain responsibility for compliance; designate senior member of CE’s personnel responsible for direction and oversight; and Require Third Party Service Provider to maintain compliant Cybersecurity Program. The CISO shall report in writing at least annually to the CE’s board of directors (or equivalent) on CE’s cybersecurity program and material cybersecurity risks, considering as applicable: • The confidentiality of NPI, integrity and security of IS; • CE’s cybersecurity policies and procedures; • CE’s material cybersecurity risks; • Overall effectiveness of the CE’s cybersecurity program; and • Material Cybersecurity Events involving the CE.NEW YORK DEPARTMENT OF FINANCIAL SERVICES CYBERSECURITY REGULATIONS
  15. 15. Penetration Testing and Vulnerability Assessments Section 500.05 “The cybersecurity program for each Covered Entity shall include monitoring and testing, developed in accordance with the Covered Entity’s Risk Assessment, designed to access the effectiveness of the Covered Entity’s cybersecurity program.” Monitoring and testing shall include • Continuous monitoring (or equivalent to detect ongoing changes to IS), or • Periodic Penetration Testing and vulnerability assessments, as well as: • Annual Penetration Testing based on Risk Assessment; and • Bi-annual vulnerability assessments that include systemic scans or reviews to identify publicly known vulnerabilities, based on the Risk Assessment. NEW YORK DEPARTMENT OF FINANCIAL SERVICES CYBERSECURITY REGULATIONS
  16. 16. Audit Trail Section 500.06 Covered Entities shall maintain systems that: • Are designed to reconstruct material financial transactions sufficient to support normal operations and obligations of the CE; and • Maintain these for 5 years. • Include audit trails designed to detect and respond to material Cybersecurity Events. • Maintain these for 3 years. NEW YORK DEPARTMENT OF FINANCIAL SERVICES CYBERSECURITY REGULATIONS
  17. 17. Access Privileges Section 500.07 Covered Entity’s cybersecurity program shall limit user access privileges to IS that provide access to NPI and shall periodically review such access privileges. NEW YORK DEPARTMENT OF FINANCIAL SERVICES CYBERSECURITY REGULATIONS
  18. 18. Application Security Section 500.08 Covered Entity’s cybersecurity program shall include, • Written procedures, guidelines and standards to ensure the use of secure development practices for in-house developed applications utilized by the CE; and • Procedures for evaluating, assessing or testing the security of externally developed applications utilized by the CE in its technology environment. • All such procedures, guidelines and standards shall be periodically reviewed, assessed and updated by the CISO. NEW YORK DEPARTMENT OF FINANCIAL SERVICES CYBERSECURITY REGULATIONS
  19. 19. Risk Assessment Section 500.09 “Each Covered Entity shall conduct a periodic Risk Assessment of the Covered Entity’s Information Systems sufficient to inform the design of the cybersecurity program ….” Shall … • Update as reasonably necessary to address changes in its IS, NPI, or business operations. • Allow for revision of controls to respond to technological developments and evolving threats and consider particular risks of CE’s business operations, NPI collected or stored, IS utilized, and effectiveness of controls to protect NPI / IS. • Carry out in accordance with written policies and procedures and be documented, including: • Criteria for evaluation and categorization of identified cybersecurity risks or threats facing CE; • Criteria for assessing the confidentiality, integrity, security, and availability of IS / NPI, adequacy of existing controls concerning identified risks; and • Describe how identified risks will be mitigated or accepted based on the Risk Assessment and how the cybersecurity program will address the risks. NEW YORK DEPARTMENT OF FINANCIAL SERVICES CYBERSECURITY REGULATIONS
  20. 20. Cybersecurity Personnel and Intelligence Section 500.10 In addition to CISO, CEs shall • Have qualified cybersecurity personnel to manage its cybersecurity risks, perform services or oversee performance of cybersecurity program; • Provide cybersecurity personnel with appropriate updates and training; and • Verify that key cybersecurity personnel take steps to maintain current knowledge of changing cybersecurity threats and countermeasures. • CE may use Affiliate or TPSP for this. NEW YORK DEPARTMENT OF FINANCIAL SERVICES CYBERSECURITY REGULATIONS
  21. 21. Third Party Service Provider Security Policy Section 500.11 “Each Covered Entity shall implement written policies and procedures designed to ensure the security of Information Systems and Nonpublic Information that are accessible to, or held by, Third Party Service Providers.” • P&P should be based on CE’s Risk Assessment and address the following, as applicable: • The identification and risk assessment of TPSPs; • Minimum CP required by TPSP to do business with CE; • Due diligence process used to evaluate the adequacy of CP by such TPSP; • Periodic assessment of such TPSP based on risk they present and continued adequacy of their CP. • P&P shall include relevant guidelines for due diligence and/or contractual protections relating to TPSP and applicable guidelines addressing: • TPSP’s P&P for access controls and MFA to IS / NPI • TPSP’s P&P for use of encryption in transit and at rest; • Notice to be provided to CE for Cybersecurity Event; and • Reps and warranties addressing TPSP’s cybersecurity P&PNEW YORK DEPARTMENT OF FINANCIAL SERVICES CYBERSECURITY REGULATIONS
  22. 22. Multi-Factor Authentication Section 500.12 • Based on its Risk Assessment, CE shall use effective controls, which may include MFA or Risk-Based Authentication, to protect against unauthorized access to NPI or IS. • MFA shall be utilized for any individual accessing the CE’s internal networks from an external network, unless CE’s CISO has approved in writing the use of reasonably equivalent or more secure access controls. NEW YORK DEPARTMENT OF FINANCIAL SERVICES CYBERSECURITY REGULATIONS
  23. 23. Limitations on Data Retention Section 500.13 • As part of its cybersecurity program, each CE shall include policies and procedures for the secure disposal on a periodic basis of any NPI no longer needed, • Unless such NPI is required to be retained or targeted disposal is not reasonably feasible. NEW YORK DEPARTMENT OF FINANCIAL SERVICES CYBERSECURITY REGULATIONS
  24. 24. Training and Monitoring Section 500.14 As part of its cybersecurity program, CEs shall: • “implement risk-based policies, procedures and controls designed to monitor the activity of Authorized Users and detect unauthorized access or use of, or tampering with, Nonpublic Information by such Authorized Users;” and • “provide regular cybersecurity awareness training for all personnel that is updated to reflect risks identified by the Covered Entity in its Risk Assessment.” NEW YORK DEPARTMENT OF FINANCIAL SERVICES CYBERSECURITY REGULATIONS
  25. 25. Encryption of Nonpublic Information Section 500.15 As part of its cybersecurity program, based on its Risk Assessment, CEs shall implement controls, including encryption, to protect NPI held or transmitted by the CE both in transit over external networks and at rest. • CE may use effective alternate compensating controls reviewed and approved by its CISO if it determines it is infeasible to use, • Encryption of NPI in transit over external networks; or • Encryption of NPI at rest. • CISO must review this feasibility determination at least annually. NEW YORK DEPARTMENT OF FINANCIAL SERVICES CYBERSECURITY REGULATIONS
  26. 26. Incident Response Plan Section 500.16 As part of its cybersecurity program, CE shall establish a written incident response plan designed to promptly respond to, and recover from, any material Cybersecurity Event. • It shall address: • Internal processes for responding; • Goals of the IRP; • Definition of clear roles, responsibilities and levels of decision-making authority; • External and internal communications and information sharing; • Identification of requirements for the remediation of any identified weaknesses in the IS and associated controls; • Documentation and reporting regarding Cybersecurity Events and related incident response activities; and • Evaluation and revision of IRP following a Cybersecurity Event. NEW YORK DEPARTMENT OF FINANCIAL SERVICES CYBERSECURITY REGULATIONS
  27. 27. Notices to Superintendent Section 500.17 2 types of Notices are required: • Event notification: CE shall notify the superintendent as promptly as possible but in no event later than 72 hours from a determination that a Cybersecurity Event has occurred that either: • Impacts the CE and require notice to be provided to any government body, self-regulatory agency, or any other supervisory body; or • Has a reasonable likelihood of materially harming any material part of the CE’s normal operations. • Annual reporting: On February 15 of each year, CE shall provide the written statement (App. A) for the prior year certifying compliance with these Regulations: • Signed by Senior Officer or Chairman of Board; • Maintain for 5 years for examination, all records, schedules and data supporting certification; • Where deficiencies identified requiring improvement, shall document current and future efforts to remediate. NEW YORK DEPARTMENT OF FINANCIAL SERVICES CYBERSECURITY REGULATIONS
  28. 28. Enforcement Section 500.20 “This regulation will be enforced by the superintendent pursuant to, and is not intended to limit, the superintendent’s authority under any applicable laws.” The New York Department of Financial Services has very broad authority to investigate civil matters and, through its Criminal Investigations Bureau, criminal matters as well. NEW YORK DEPARTMENT OF FINANCIAL SERVICES CYBERSECURITY REGULATIONS
  29. 29. FAQ’s Frequently Asked Questions: http://www.dfs.ny.gov/about/cybersecurity_faqs.htm NEW YORK DEPARTMENT OF FINANCIAL SERVICES CYBERSECURITY REGULATIONS

×