For financial services companies that fall under the New York State Department of Financial Services (DFS) cybersecurity requirements rule, the timeline for implementing 23 NYCRR500 has begun. The new rule became effective March 1st. Each section of the rule has a timeline relating to the development of cybersecurity programs for all “Covered Entities.”
The regulation applies to the array of organizations that operate under license, charter or other authorization under New York’s Banking, Financial Services or Insurance Laws, which place that organization under DFS regulation. Exemptions do exist, which affect only organizations of less than 10 staff (including outside contractors), with minimum annual revenue requirements (less than $5 million) and total year end assets of less than $10 million (Section 500.19). An exempt organization must file a Notice of Exemption (Appendix B form) within 30 days of determining that it qualifies.
The rules are prefaced with the statement that, “The financial services industry is a significant target of cybersecurity threats. DFS appreciates that many firms have proactively increased their cybersecurity programs with great success. Given the seriousness of the issue and the risk to all regulated entities, certain regulatory minimum standards are warranted, while not being overly prescriptive so that cybersecurity programs can match the relevant risks and keep pace with technological advances. Accordingly, this regulation is designed to promote the protection of customer information as well as the information technology systems of regulated entities. This regulation requires each company to assess its specific risk profile and design a program that addresses its risks in a robust fashion. Senior management must take this issue seriously and be responsible for the organization’s cybersecurity program and file an annual certification confirming compliance with these regulations.” ((Cybersecurity Requirements for Financial Services Companies. 23NYCRR500. New York State Department of Financial Services. Effective March 1, 2017. New York State Register.))
Cybersecurity programs are required under Section 500.02 to: be “designed to protect the confidentiality, integrity and availability of the Covered Entity’s Information Systems” and must “be based on the Covered Entity’s Risk Assessment” and designed to perform “core cybersecurity functions including identification and assessment of internal and external cybersecurity risks, use defensive infrastructure and written policies and procedures.” Mitigation and program improvements to meet compliance are included in that statement, as are appropriate supporting documentation. The regulation requires that Covered Entities have a cybersecurity program that addresses 14 areas within their third party risk management program, including:
- Encryption of non-public information (Section 500.15).
- Multi-factor authentication that is appropriate to the risk assessment (Section 500.12).
- Third party agreement due diligence that includes actionable contract requirements that allow the outsourcer to mirror its own risk requirements at down chain levels (third party and on) within its supply chain (Section 500.11).
- Periodic risk assessments of information systems, business operations, technology developments and emerging threats are required (Section 500.09).
The Covered Entity may meet the requirements through adopting an affiliates program – affiliates do not include third party providers, as defined by the regulation. The rule requires all Covered Entities to have a third party risk management program. Written policies and procedures that are approved at the senior and/or board levels, ongoing training, audit trails and specific risk controls are all mandated, along with incident response planning, monitoring and testing and designation of a formal Chief Information Security Officer (CISO). The CISO must be “qualified” and would be responsible for cybersecurity program design, implementation, oversight, program updates and enforcement and be responsible under Section 500.04(b) for reporting at the board level of the Covered Entity.
This last point, appointment of a CISO, has been contentious, in part because it is viewed as burdensome for smaller organizations. The DFS allows for the CISO to be an outsourced position, an accommodation designed to alleviate the cost burden for smaller firms. However, outsourcing the CISO position may have unintended consequences, since for smaller firms the most logical third party to handle that role might well be an individual from the company that provides technology infrastructure to the outsourcer. Conflict of interests may reasonably occur. For example, part of the CISO’s responsibility is validating compensating controls when an outsourcer may not be able to or cannot comply with new DFS security requirements, such as encryption of at-rest non-public data or multi-factor authentication. Will a CISO paid by the third party be able to make an independent assessment of control adequacy when that person’s primary employer may have a vested interested in the outcome that’s different from its clients?
This regulation mandates that it is the CISO’s role to identify, sign off on and report to the board on the effectiveness of the program, materiality of risks and the compensating controls for all areas of the cybersecurity program. Is it feasible for the outsourced CISO, who may be tied to application development or other IT functions as defined in Section 500.10 Cybersecurity Personnel and Intelligence, to remain independent? These questions only scratch the surface on the potential pitfalls this situation poses in relation to robust third party risk management.
Rule provisions that immediately took effect and involve reporting to the DFS Superintendent of Financial Services include Section 500.17(a), notice within 72 hours or a cybersecurity event and Section 500.17(b), written statement of compliance with the rule (Appendix A form), which is due February 15th each year. ((The Regulation defines a cybersecurity event as “any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse [of] an Information System or information stored on such Information System.”)) Defined transitional period milestones to comply with the remaining requirements of the regulation are noted in Section 500.22. A full list of transition requirements are available in the regulation document.
The Shared Assessments Program member vertical groups and development committees will continue to examine and discuss the regulation and take 23NYCRR500 into account during best practices resources development and Program Tool updates.
Marya Roddis is Vice President of Communications for The Santa Fe Group, Shared Assessments Program. She acts as lead writer for staff and member subject matter experts, providing research and other support in developing blog content and documenting committee projects in white papers and briefings, as well as press communications and other outreach documentation. She has 40 years of experience in administration, compliance monitoring and communications and has served as a Resource Development Consultant since 2003 for primarily non-profit organizations in the fields of arts, education, social services and regional economic and business development.