The New York Cybersecurity Regulation: How it impacts you ...€¦ · “Department”) issued a...
Transcript of The New York Cybersecurity Regulation: How it impacts you ...€¦ · “Department”) issued a...
The New York Cybersecurity Regulation:
How it impacts you and your company
March 3, 2017
Presented by:
©2017 Strategic Compliance Partners. All rights reserved.
Introduction
• The New York State Department of Financial Services (the
“Department”) issued a proposed rule establishing cybersecurity
requirements for financial services companies. The rule was revised on
December 28, 2016.
• The regulation requires financial services companies that are regulated
by the Department, to establish minimum standards for the protection
of consumers private information, including the requirement to
establish and maintain a cybersecurity program designed to protect
private customer data.
• The final regulation was published on February 16, and is set to take
effect on March 1.
©2017 Strategic Compliance Partners. All rights reserved.
Agenda
Today we will discuss:
• Coverage of the regulation
• Cybersecurity program development
• Steps for compliance
©2017 Strategic Compliance Partners. All rights reserved.
Coverage
©2017 Strategic Compliance Partners. All rights reserved.
• The regulation applies to any person “operating under or required to
operate under a license, registration, charter, certificate, permit,
accreditation, or similar authorization under the Banking Law, the
Insurance Law, or the Financial Services Law.”
• It requires companies to identify and assess internal and external
cybersecurity risks that may threaten the security of sensitive data
stored on the companies systems.
• Additional requirement for a Risk Assessment
• Creation of Policies and procedures to protect Non-Public
Information
• Requires a qualified individual responsible for overseeing and
implementing the cybersecurity program
• This requirement may be met by appointing a Chief Information
Security Officer that is employed by the company or one of its
affiliates, or by using a “Third Party Service Provider”
What’s New
©2017 Strategic Compliance Partners. All rights reserved.
• Over 150 critical comments submitted in
response to Proposed Rule (originally published
in September 2016)
• Rules too stringent
• No distinction between small and large
financial institutions
• Insufficient time to implement requirements
• Published amended rule on December 28th
adding important flexibility
Final Rule relaxes some requirements from Proposed Rule.
What’s New
©2017 Strategic Compliance Partners. All rights reserved.
• Cyber Program
• Instead of mandating identical security measures for all
institutions, regardless of size, institutions must institute a
Cybersecurity Program that tailored to the institution’s size
and risk profile
• Key element is “Risk Assessment” – to provide foundation for
the customization of each institution’s Program.
• Thus, final rule is more of a “process rule” than a prescriptive,
substantive rule.
• This change matches approach in other industries (e.g. HIPAA
Security Rule) that focus on an individualized, enterprise-wide,
risk assessment and management process
• Risk Assessment must be performed periodically (not annually)
• Encryption no longer mandatory
• If not feasible, entity may employ effective alternatives as
approved by the CISO
• “Protect” not “ensure” – important language change for liability
Final Rule relaxes some requirements from Proposed Rule.
What’s New
©2017 Strategic Compliance Partners. All rights reserved.
• Allows Cybersecurity Program to be maintained by a qualifying
affiliate or third-party service provider
• Personnel, including role of CISO may be outsourced
• Cybersecurity Policy must be based on R/A – asset inventory and
device management added to list of items that must be covered
• Notice requirement narrowed in scope - only applies where:
i. notice is required to be provided to any government body, self-
regulatory agency or any other supervisory body
ii. “reasonable likelihood of materially harming any material part of
the normal operations” of the entity
72-hour notice period retained
• Exemption where fewer than 10 employees (including independent
contractors)
• Effective date is (was) March 1, 2017
• 180-day “transition” period for CEs to come into compliance
Final Rule relaxes some requirements from Proposed Rule.
Section 500.02 Cybersecurity Program
• Priority is placed on protecting confidentiality, integrity and
availability of the CE’s Information Systems
• Risk Assessment
• Drives the development of your Security Program,
• Must encompass internal and external risks (threats),
• Must be well documented and readily available,
• Each organization’s assessment findings will look different
(even if you are in the same industry).
©2017 Strategic Compliance Partners. All rights reserved.
Cybersecurity Policy Section 500.03
• Requires implementation and maintenance of written policies that are approved by Senior
Management and/or the company’s Board of Directors. The policy is based on the Risk Assessment
and shall address the following areas as applicable:
information security;
data governance and classification;
asset inventory and device management;
access controls and identity management;
business continuity and disaster recovery planning and resources;
systems operations and availability concerns;
systems and network security;
systems and network monitoring;
systems and application development and quality assurance;
physical security and environmental controls;
customer data privacy;
vendor and Third Party Service Provider management;
risk assessment; and
incident response.
©2017 Strategic Compliance Partners. All rights reserved.
Section 500.04 CISO
• Required to designate a Chief Information Security Officer,
• Must be “qualified individual” (ex. CISSP, CISM),
• Can be 3rd party service provider but you still need to designate
internal resource for oversight and direction,
• CISO responsible for delivering annual report to board of
directors or senior officer,
• Report describes overall health and effectiveness of
cybersecurity program and events from previous period.
©2017 Strategic Compliance Partners. All rights reserved.
Section 500.05 Pen Testing/Vuln
• Monitoring and testing of program required,
• Continuous monitoring or periodic vulnerability
assessment and penetration testing,
• Bi-annual vulnerability assessments (including scans),
• Annual penetration testing,
• Testing program details are driven by the Risk Assessment.
©2017 Strategic Compliance Partners. All rights reserved.
Section 500.06 Audit Trail
• Focus is on capturing and storing transaction data for purposes of reconstruction,
• Must be “designed to detect and respond to Cybersecurity Events”,
• Implies that Security Incident and Event Management
is in place,
• Record retention required,
• Five (5) years for financial transactions,
• Three (3) years for security audit data.
©2017 Strategic Compliance Partners. All rights reserved.
Section 500.07 Access Privileges
• User access privileges limited based upon Risk Assessment,
• Periodic review of access privileges required.
©2017 Strategic Compliance Partners. All rights reserved.
Section 500.08 Application Security
• In-house developed applications,
• Written procedures, guidelines and standards to ensure security
best practices are used,
• Externally developed applications,
• Procedures for evaluating, assessing and testing application
security,
• CISO must review documentation periodically.
©2017 Strategic Compliance Partners. All rights reserved.
Section 500.09 Risk Assessment
• One of the most critical and important components in the regulation,
• Drives the specific security activities and controls within the organization,
• Should address technical and non-technical security controls and their effectiveness,
• Risk management focus versus IT assessment.
©2017 Strategic Compliance Partners. All rights reserved.
Section 500.09 Risk Assessment
• Threat Actors and Sources
• Criminal hacker, hacktivist, malicious insider, negligent insider, script kiddie, nation state,
• Attack Vectors/Methods
• Phishing, malware, business email compromise, social engineering, technical backdoors, etc.
• Security program should address most likely threat sources and attack vectors for your organization.
©2017 Strategic Compliance Partners. All rights reserved.
Section 500.09 Risk AssessmentData Breach Scenario
©2017 Strategic Compliance Partners. All rights reserved.
1. Criminal Hacker 3. Malware Deployed
2. Phishing Email4. Device
Compromised
5. Data Exfiltrated
Section 500.09 Risk AssessmentSecurity Controls and Mechanisms
©2017 Strategic Compliance Partners. All rights reserved.
People Policy Technology
Employee Security
Awareness Training
See Section 500.03 Anti-Virus/Anti-Malware
Mock Phishing Exercises Firewalls
CISO/Cyber Expertise Network Segmentation
Security Awareness
Surveys
Multi Factor Authentication
Role Based Access
Control
Encryption
IR Tabletop Exercises Vulnerability Scans/Pen
Testing
SIEM
Note: This is not an exhaustive list but merely examples.
Section 500.10 Cyber Personnel and Intel
• “Qualified cybersecurity personnel” must be used to manage the cybersecurity program,
• Cybersecurity personnel must be regularly trained to address new risks and countermeasures,
• 3rd party service provider can be used to meet this requirement.
©2017 Strategic Compliance Partners. All rights reserved.
Section 500.11 3rd Party Service Providers
• Risk assessment procedures must be developed and updated periodically,
• 3rd party service provider assessment prioritization based upon what information systems they can access.
©2017 Strategic Compliance Partners. All rights reserved.
Section 500.12 MFA
• Multi-Factor Authentication,
• Something you know (password),
• Something you have (smartphone),
• Something you are (fingerprints),
• Must be used for individuals accessing internal network from external network,
• Equal or more secure methods can be used if approved by CISO in writing.
©2017 Strategic Compliance Partners. All rights reserved.
Section 500.13 Limitation on Data Retention
• Policies and procedures for secure disposal must be developed and implemented,
• NPI no longer necessary for business operations must be periodically disposed.
©2017 Strategic Compliance Partners. All rights reserved.
Section 500.14 Training and Monitoring
• Activity of Authorized Users must be monitored for:
• Unauthorized access or use of NPI,
• Tampering with NPI,
• “Regular” cybersecurity awareness training for allpersonnel required,
• Training should be based upon risks identified in Risk
Assessment.
©2017 Strategic Compliance Partners. All rights reserved.
Section 500.15 Encryption of NPI
• Implementation based upon Risk Assessment findings,
• NPI data at rest and in transit must be encrypted,
• If not practical compensating controls can be used if approved by CISO.
©2017 Strategic Compliance Partners. All rights reserved.
Section 500.16 Incident Response Plan
• Written IR Plan must be implemented,
• IR Plan must be updated after Cybersecurity Event occurs,
• Not required but we recommend semi-annual tabletop exercises to identify gaps and weaknesses.
©2017 Strategic Compliance Partners. All rights reserved.
Notices to Superintendent Section 500.17
• The rule contains a requirement for notification to the Superintendent of the Department.
• Notice is required no later than 72 hours after the determination that a “Cybersecurity Event” has
occurred.
• A Cybersecurity Event is defined as “an act or attempt to gain unauthorized access to, disrupt or
misuse the company’s information systems or information stored on these systems”
• The requirement for notice is if it is determined that:
• “Notice is required to be provided to any government body, self-regulatory agency or any other
supervisory body”; or
• That the Cybersecurity Events have a reasonable likelihood of causing material harm to the normal
operation of the company.
• Additional requirement for the submission of an annual written statement to the Superintendent by
February 15 of each year in relation to the events of the prior calendar year.
©2017 Strategic Compliance Partners. All rights reserved.
Section 500.18 Confidentiality
• Information provided by a Covered Entity is exempt from disclosure under Banking, Insurance, Financial Services, and Public Officers Laws.
©2017 Strategic Compliance Partners. All rights reserved.
Limited ExemptionsSection 500.19
A Covered Entity meeting the following criteria are exempt from certain provisions of the NY regulation:
Fewer than 10 employees, including any independent contractors, of the Covered Entity or its
Affiliates located in New York or responsible for business of the Covered Entity, or
Less than $5 million in gross annual revenue in each of the last three fiscal years from NY business
operations of the Covered Entity and its Affiliates, or
Less than $10 million in year-end total assets, calculated in accordance with generally accepted
accounting principles, including assets of all Affiliates shall be exempt from the following
requirements:
©2017 Strategic Compliance Partners. All rights reserved.
Exempt from
500.04(a) Designating a Chief Information Security Officer
500.04(b) Report to Board of Directors
500.05 Penetration Testing and Vulnerability Assessments
500.06 Audit trail
500.08 Application Security
500.10 Cybersecurity Personnel and Intelligence
500.12 Multifactor Authentication
500.14 Training and Monitoring
500.15 Encryption of Nonpublic Information
500.16 Incident Response Plan
• A Covered Entity that qualifies for any of the above exemptions pursuant to this section shall
file a Notice of Exemption in accordance with the regulation within 30 days of the determination that
the Covered Entity is exempt.
Section 500.20 Enforcement
• The NYDFS Superintendent has enforcement authority under existing, applicable law.
• No express private right of action.
• NYDFS has already been conducting audits of financial services orgs since 2015, which it has initiated with a cybersecurity questionnaire.
©2017 Strategic Compliance Partners. All rights reserved.
Liability Risks
• The Rule presents liability risks and exposure beyond NYDFS regulatory enforcement
• Despite lack of private right of action, Plaintiffs’ lawyers may assert the Rule as “standard of conduct” to underpin the following:
o Consumer state law claims – including class actions
o Shareholder derivative actions
o Business claims – e.g. contractual
o State and federal breach notification law claims
• Exposure underscored by reporting and certification requirements
©2017 Strategic Compliance Partners. All rights reserved.
Insurance Recommendations
• Check D&O coverage - e.g. does it cover false or inaccurate
certifications for applicable staff
• Some policies broadly exclude these types of actions
• Check E&O policies for coverage regarding 3rd Party Vendors
• Consider stand-alone cyber policy
• Other insurance issues important for data breach issues:
o The definition of a breach
o The definition of private information
o When is coverage retroactive to?
o How much of “Crisis Management” is covered?
i.e. Responding to the breach initially, investigations, etc.
©2017 Strategic Compliance Partners. All rights reserved.
Compliance Recommendations
• Utilize a formal Risk Assessment process – e.g.:
• FFIEC Cybersecurity Assessment Tool
• NIST Framework
• Thorough Risk Assessment process should be well documented, set realistic
timetables, prioritization of asset protection based upon risk and budget
• Proper governance measures –
• Cyber not just an “IT issue” – there must be buy-in and participation by
entire organization, which starts with the top
• Development of “culture of cyber-awareness”
• Use of NACD Handbook on Cyber-Risk Oversight
• Use of outside experts
• Engaging workforce education
• Third party cyber vetting and monitoring
©2017 Strategic Compliance Partners. All rights reserved.
Section 500.21 Effective Date
• The new requirements are effective as of March 1, 2017
• Covered entities are required to annually submit to the superintendent a Certification of Compliance to the Department beginning February 15, 2018
©2017 Strategic Compliance Partners. All rights reserved.
Transitional Periods Section 500.22Financial Services Institutions have been given transition periods for implementing the cybersecurity regulation.
The transition periods are highlighted below:
©2017 Strategic Compliance Partners. All rights reserved.
Section Time from 03/01/17
500.02 Cybersecurity program
500.03 Cybersecurity policy
500.04(a) Designation a Chief Information Security Officer
500.07 Access Privileges
500.10 Cybersecurity Personnel and Intelligence
500.16 Incident Response Plan
500.17 Notices to Superintendent
180 days
500.04(b) Report to Board of Directors
500.05 Penetration Testing and Vulnerability Assessments
500.09 Risk Assessment
500.12 Multifactor Authentication
500.14(b) Cybersecurity Awareness Training
1 year
500.06 Audit Trail
500.08 Application Security
500.13 Limitations on Data Retention
500.14(a) Implement Monitoring of Authorized and Unauthorized Activity
500.15 Encryption of Nonpublic Information
18 months
500.11 Third party Service Provider Security Policy 2 years
Insurance Recommendations
• The rule presents financial services firms with a variety of obligations
that could lead to liability from regulatory actions or litigation from
consumers
• Officers must now certify that their firm is compliant with the
Department’s regulations annually which leads to opportunity to
oversell a company’s protections to be compliant
• Companies will want to check that their directors and officers liability
insurance covers these potential actions or lawsuits
• Some policies broadly exclude these types of actions
• If using a third party vendor, be sure the vendor has an extensive
technology errors and omissions liability insurance policy and that it
covers cybersecurity claims
©2017 Strategic Compliance Partners. All rights reserved.
Questions?
©2017 Strategic Compliance Partners. All rights reserved.
Monique Jean, General Counsel
Strategic Compliance Partners
301-691-1307
Joseph Kelley III, Principal
Offit Kurman
267-338-1368
Robert Olsen, CEO
Compass Cyber Security
667-401-5105