Beruflich Dokumente
Kultur Dokumente
Page 2 of 20
Executive Summary
In September 2016, the New York State Department of Financial Services (the “NYDFS”)
proposed new cybersecurity regulations (the “Proposed Rules”) for banks, insurance
companies, and other financial institutions regulated by the NYDFS (“Covered Entities”).
The Proposed Rules reflect an ongoing interest in cybersecurity by the NYDFS and other
regulators as a result of recent high-profile cyberattacks targeting banks and other institutions.
These incidents include the attack on the Bangladesh Central Bank in February 2016.
The NYDFS’s interest in this area has been especially pronounced given New York’s
importance to the financial markets and was evidenced by the fact that the Proposed Rules
were announced by New York Governor Andrew Cuomo.
Page 3 of 20
TABLE OF CONTENTS
Since it’s writing, NYDFS has finalized its regulations. This whitepaper is organized to provide a
more complete plan than what has been announced as the final revision of these rules. It is the
writer’s belief that organizations need to protect their customers and intellectual property, not try
to comply with regulations.
What the final version presents is a series of steps that, if followed, will minimize the likelihood
of a data breach. If the reader follows additional steps outlined that go beyond the regulations'
final version, risk of a breach will be even less likely statistically. And it doesn’t stop there.
Organizations need to follow a series of security best practices across systems, the network,
and people. Attach to that a security framework that provides a lifecycle approach, which is
similar to a homeowner who has an alarm system, cameras, dead bolt locks, and warning
signage. Security frameworks help organizations make it more difficult for computer criminals to
be successful in their attacks.
The reader may be familiar with a lifecycle service approach, but for reference, CCSI uses this
methodology in all engagements.
Page 5 of 20
The rules, in the works since 2014, respond to a series of high-profile data breaches that
resulted in losses of hundreds of millions of dollars to U.S. companies, including Target Corp,
Home Depot Inc, and Anthem Inc.
Why do we care about these rules? One Simple Answer - Data Breaches
3. Reputation
The NYDFS reports that 79 percent of surveyed depository institutions were increasing their
cybersecurity budgets for 2014 - 2017.
Page 6 of 20
Accordingly, these regulations are designed to promote the protection of customer information
as well as the information technology systems of regulated entities. They require each company
to assess its specific risk profile and design a program that addresses its risks in a robust
fashion.
Senior management must take this issue seriously, assume responsibility for the organization’s
cybersecurity program, and file an annual certification confirming compliance with these
regulations. A regulated entity’s cybersecurity program must ensure the safety and soundness
of the institution and protect its customers.
These new regulations by NYDFS specify that anyone authorized to operate under New York
banking, insurance, or financial services laws are subject and covered.
Specifically, regulated entities include: state-chartered banks and trust companies, insurance
companies, insurance producers, insurance adjusters, bail bond agents, service contracts, life
settlements, budget planners, charitable foundations, check cashers, credit unions, investment
companies, licensed lenders, money transmitters, mortgage bankers, mortgage brokers,
mortgage loan servicers, premium finance agencies, private bankers, safe deposit companies,
sales finance companies, savings banks, and savings and loans.
In December, New York State delayed implementation of the rules by two months and loosened
some requirements after financial firms complained they were onerous and said they needed
more time to comply.
Page 7 of 20
History
Let’s take a step back. The NYDFS was created in 2011 when the NYS Insurance Department
and the NYS Banking Department were consolidated. Today, the NYDFS supervises
approximately 4,500 entities. It's currently headed by the Superintendent of Financial Services
Maria Vullo.
In 2013, the NYDFS began surveying banking organizations and later insurance companies. It
then issued reports in 2014 and 2015 on cybersecurity in the insurance and banking industries:
From there, a letter was sent from NYDFS on Nov 9, 2015 by then Acting Superintendent to 18
members of the Financial and Banking Information Infrastructure Committee heralding intent to
issue cybersecurity requirements.
Page 8 of 20
Limited Exclusion
Sec. 500.18(a) includes a limited exemption to the Regulations for otherwise Covered Entities. If
a CE has:
1. Fewer than 1,000 customers in each of the last 3 years, and
2. Less than $5M in gross annual revenue in each of last 3 fiscal years, and
3. Less than $10M in year-end total assets per GAAP (including any affiliates for purposes
of the total asset calculation),
Then such entities are exempt from the Regulations' requirements involving maintenance of
specific cybersecurity personnel, app development, multi-factor authentication, training,
encryption, audits and audit trails, and conducting vulnerability tests.
Regulations Short List
A CISO-written report to the Board of Directors at least twice a year (which the DFS can
request).
Reporting to NYDFS of certain “Cybersecurity Events” within 72 hours of discovery.
Annual compliance certification by BoD or “Senior Officer(s)” with the NYDFS
Regulations YDFS by January 15th of each year (with maintenance for five years of
“records, schedules and data” supporting the certification).
May require existing Cybersecurity Policies to be reviewed and expanded given broad
definition of NPI.
Must be updated “as frequently as necessary” but at least annually.
Require a third-party Information Security Policy to ensure security of NPI and
Information Systems “accessible to or held by” third parties.
Identify these parties and performing risk assessments.
Specify minimum cybersecurity practices that third parties must meet.
Detail due diligence processes to determine third-party cybersecurity adequacy.
Implement an annual assessment of third parties' cybersecurity practices.
Page 10 of 20
Personnel
Chief Information Security Officer:
Must be designated, “qualified”, and held responsible for the oversight, implementation,
and enforcement of the Cybersecurity Program and Policy.
Can be met through third-party service providers (“outsourced CISO”)
72 Hour Notifications to NYDFS and DFS can request all CISO reports.
Additional reading: http://www.ccsinet.com/candidates-qualities-ciso-career-job/
What follows are a series of mappings based on the current proposed information by NYDFS.
As the final details are released these will be subject to become optional but it is highly
recommended that they be strongly considered since the intent of any security policy is for
businesses to protect their customers and to provide confidentiality, integrity, and availability
Page 12 of 20
1. “Multi-Factor Authentication” required “for any individual accessing the Covered Entity’s
internal systems or data from an external network”.
2. “Multi-Factor Authentication” required for “privileged access” to database servers that
allow access to Nonpublic Information.
3. “Risk-Based Authentication” required “in order to access web applications that capture,
display or interface with Nonpublic Information”.
4. “Multi-Factor Authentication” required “for any individual accessing web applications that
capture, display or interface with Nonpublic Information”.
Page 14 of 20
o Policy
1. Team
2. Response Plan/Strategy
3. Communication
4. Documentation
5. Training
6. Testing
o Identification
o Containment
o Eradication
o Lessons Learned
Page 16 of 20
Although the Final Regulation retains most of the content of the Proposal discussed herein, the
Final Regulation departs from the Proposal by:
Expanding the types of entities that can qualify for an exemption from coverage by the Final
Regulation (such as certain insurance companies) and identifying the sections of the Final
Regulation from which such entities are exempt;
Clarifying that the gross annual revenue calculation relating to an exemption for smaller
entities is based only on the Covered Entity’s and its Affiliates’ New York business
operations;
Clarifying that the employee calculation relating to an exemption for smaller entities is based
on the location of such employees of the Covered Entity or its Affiliates in New York or
whether such employees are responsible for the Covered Entity’s business;
Broadening the requirement to notify the DFS of certain Cybersecurity Events: In the
Proposal, to warrant notification to the DFS, a Cybersecurity Event had to meet two
conditions: (1) be a Cybersecurity Event of which notice is required to be provided to a
government body, self-regulatory agency or any other supervisory body, and (2) have a
reasonable likelihood of materially harming any material part of the Covered Entity’s normal
operations. In the Final Regulation, if a Cybersecurity Event meets either of these
conditions, the Covered Entity must notify the DFS of such Cybersecurity Event within 72
hours; and
Relaxing the record retention requirements for audit trail records from six years to three
years.
Under the Final Regulation, subject to certain exemptions, any individual, partnership,
corporation, association or other entity operating under or required to operate under a license,
registration, charter, certificate, permit, accreditation or similar authorization under the New York
Banking Law, Insurance Law or Financial Services Law (a “Covered Entity”) is required to:
Establish a Cybersecurity Program designed to ensure the security of the Covered Entity’s
information systems, which must include: information and systems security, data
governance and classification, asset inventory and device management, access controls,
disaster recovery plans, a Risk Assessment, vendor and third-party service provider
management, and a written Incident Response Plan;
Adopt a written Cybersecurity Policy;
Page 17 of 20
The Final Regulation is effective March 1, 2017 and establishes the following four compliance
deadlines:
For requirements not specifically addressed below, the compliance deadline is September
1, 2017.
For the requirements in sections 500.04(b) (Chief Information Security Officer Report),
500.05 (penetration testing and vulnerability assessments), 500.09 (risk assessment),
500.12 (multi-factor authentication), and 500.14(b) (cybersecurity training for personnel), the
compliance deadline is March 1, 2018.
For the requirements in sections 500.06 (audit trail), 500.08 (application security), 500.13
(limitations of data retention), 500.14(a) (implementation of policies and procedures
regarding monitoring), and 500.15 (encryption of nonpublic information), the compliance
deadline is September 1, 2018.
For the requirements in section 500.11 (Third Party Service Provider Security Policy), the
compliance deadline is March 1, 2019.
Since there is a short period of time before the first compliance deadline of September 1, 2017,
Covered Entities should start formulating a plan to comply with the Final Regulation.
If a Covered Entity qualifies for an exemption, it must file a Notice of Exemption with the
DFS.
If a Covered Entity does not qualify for an exemption, it must prepare the following
documents:
1. Cybersecurity Policy;
2. Incident Response Plan;
3. Documentation of the required Risk Assessment;
4. Certification of Compliance to be submitted to the DFS (and relevant
attachments);
5. Annual report to be delivered by the CISO to the Covered Entity’s board of
directors; and
6. Third Party Service Provider Security Policy.
Page 18 of 20
Conclusion
The DFS requires the following of your cybersecurity program:
Identification of cyber risks.
Implementation of policies and procedures to protect unauthorized access/use or other
malicious acts.
Detection of cybersecurity events.
Responsiveness to identified cybersecurity events to mitigate any negative events.
Recovery from cybersecurity events and restoration of normal operations and services
Covered Entities include the following types of entities, among others, chartered or licensed by
the NYDFS.
Additional Resources
CCSI’s Information Security practice group has formulated a plan of action and scope of work
for its clients who are covered by the Final Regulation.
CCSI’s Security Lifecycle Framework provides organizations with the ability to work with CCSI
to choose, integrate and operate a wide range of security technologies across the IT enterprise,
centralize threat intelligence management & orchestration, and automate responses to threats
without waiting for human intervention
Creating a partnership to plan, design, integrate and optimize a variety of security technologies
enables our customers to have a rapid threat identification, isolation, and elimination strategy in
hand. Leveraging our 24x7 Security and Network Operations Center (SNOC), will free up critical
and scarce security resources for other needs within the organization.
Security managers are faced with security product challenges at every turn. Next Generation
Firewalls (NGFW), endpoint protection systems, Data Loss Prevention (DLP), malware
sandboxes, and other security technologies are often purchased as stand-alone technologies,
requiring high degrees of integration effort in order to harmonize their functions and capitalize
on their potential value.
The CCSI Security Lifecycle Framework enables a consistent security policy and strategy
between the numerous head-spinning choices of point security technologies. Malware
Page 20 of 20
signatures, system changes, poisoned web sites, endpoint vulnerabilities, and a wide range of
other security issues can be automatically managed through CCSI’s SNOC and through our
advanced breach detection platform called, Threat Detect.
CCSI empowers a security architecture strategy that can automatically identify and manage a
wide range of network security issues so you can focus on what’s most important - your
business.
The CCSI Security Framework does not stop at the edge of your enterprise. CCSI customers
also have the added benefit of being able to work directly with our security analysts to analyze
and identify potential malware discovered within your environment. Based on run book
procedures, CCSI’s analysts can isolate and take action before an incident occurs.
Use your resources wisely by leveraging the power of CCSI’s Security Lifecycle Framework.
https://twitter.com/ccsinet
https://www.facebook.com/ccsinet1/
https://www.linkedin.com/company/contemporary-computer-services-inc-ccsi-/