Page 1 of 20

Page 2 of 20

Executive Summary

In September 2016, the New York State Department of Financial Services (the “NYDFS”)
proposed new cybersecurity regulations (the “Proposed Rules”) for banks, insurance
companies, and other financial institutions regulated by the NYDFS (“Covered Entities”).
The Proposed Rules reflect an ongoing interest in cybersecurity by the NYDFS and other
regulators as a result of recent high-profile cyberattacks targeting banks and other institutions.
These incidents include the attack on the Bangladesh Central Bank in February 2016.
The NYDFS’s interest in this area has been especially pronounced given New York’s
importance to the financial markets and was evidenced by the fact that the Proposed Rules
were announced by New York Governor Andrew Cuomo.
 Page 3 of 20

TABLE OF CONTENTS

Whiter Paper Brief ........................................................... 4

Introduction and Background ........................................ 5
NYSDFS Regulations: Purpose & Entities .................... 6
History .............................................................................. 7
The NYS DFS Regulation to Date .................................. 8
Quick Review of the Sections ...................................... 12
Final Version of Regulation.......................................... 16
Conclusion..................................................................... 18
Additional Resources ................................................... 19
 Page 4 of 20

White Paper Brief

This whitepaper is written based on the proposals and rules made by the New York State
Department of Financial Services (NYDFS).

Since it’s writing, NYDFS has finalized its regulations. This whitepaper is organized to provide a
more complete plan than what has been announced as the final revision of these rules. It is the
writer’s belief that organizations need to protect their customers and intellectual property, not try
to comply with regulations.

What the final version presents is a series of steps that, if followed, will minimize the likelihood
of a data breach. If the reader follows additional steps outlined that go beyond the regulations'
final version, risk of a breach will be even less likely statistically. And it doesn’t stop there.

Organizations need to follow a series of security best practices across systems, the network,
and people. Attach to that a security framework that provides a lifecycle approach, which is
similar to a homeowner who has an alarm system, cameras, dead bolt locks, and warning
signage. Security frameworks help organizations make it more difficult for computer criminals to
be successful in their attacks.

The reader may be familiar with a lifecycle service approach, but for reference, CCSI uses this
methodology in all engagements.
 Page 5 of 20

Introduction and Background

New York State Department of Financial Services has announced regulations requiring banks
and insurers to meet minimum cyber-security standards and report breaches to regulators as
part of an effort to combat a surge in cybercrime and limit damages to consumers.

The rules, in the works since 2014, respond to a series of high-profile data breaches that
resulted in losses of hundreds of millions of dollars to U.S. companies, including Target Corp,
Home Depot Inc, and Anthem Inc.

Why do we care about these rules? One Simple Answer - Data Breaches

According to NYDFS, “Most institutions irrespective of size experienced intrusions or attempted

intrusions into their IT systems over the past three years."

As technology dependence in the financial sector continues to grow, so do opportunities for

high-impact technology failures and cyber-attacks.

The top three factors driving cybersecurity spending are as follows:

1. Compliance and regulatory requirements

2. Business continuity and disaster recovery

3. Reputation

The NYDFS reports that 79 percent of surveyed depository institutions were increasing their
cybersecurity budgets for 2014 - 2017.
 Page 6 of 20

NYSDFS Regulations: Purpose & Entities

These rules lay out steps financial firms must take to protect their networks and customer data
from hackers and to disclose cyber events to state regulators.

Accordingly, these regulations are designed to promote the protection of customer information
as well as the information technology systems of regulated entities. They require each company
to assess its specific risk profile and design a program that addresses its risks in a robust
fashion.

Senior management must take this issue seriously, assume responsibility for the organization’s
cybersecurity program, and file an annual certification confirming compliance with these
regulations. A regulated entity’s cybersecurity program must ensure the safety and soundness
of the institution and protect its customers.

These new regulations by NYDFS specify that anyone authorized to operate under New York
banking, insurance, or financial services laws are subject and covered.
Specifically, regulated entities include: state-chartered banks and trust companies, insurance
companies, insurance producers, insurance adjusters, bail bond agents, service contracts, life
settlements, budget planners, charitable foundations, check cashers, credit unions, investment
companies, licensed lenders, money transmitters, mortgage bankers, mortgage brokers,
mortgage loan servicers, premium finance agencies, private bankers, safe deposit companies,
sales finance companies, savings banks, and savings and loans.

In December, New York State delayed implementation of the rules by two months and loosened
some requirements after financial firms complained they were onerous and said they needed
more time to comply.
 Page 7 of 20

History
Let’s take a step back. The NYDFS was created in 2011 when the NYS Insurance Department
and the NYS Banking Department were consolidated. Today, the NYDFS supervises
approximately 4,500 entities. It's currently headed by the Superintendent of Financial Services
Maria Vullo.
In 2013, the NYDFS began surveying banking organizations and later insurance companies. It
then issued reports in 2014 and 2015 on cybersecurity in the insurance and banking industries:

From there, a letter was sent from NYDFS on Nov 9, 2015 by then Acting Superintendent to 18
members of the Financial and Banking Information Infrastructure Committee heralding intent to
issue cybersecurity requirements.
 Page 8 of 20

The NYS DFS Regulation to Date

The Proposed Regulations, “Cybersecurity Requirements for Financial Services Companies”
(Part 500 of Title 23 of the Official Compilation of Codes, Rules, and Regulations of the State of
New York) were first announced on September 13, 2016 and published in the State Register on
September 28, 2016
The public comment period for the regulations ended on November 14, 2016.
NYDFS released the following Regulation Materials:
1. Proposed 23 NYCRR 500 (PDF)
2. Notice of Proposed Rulemaking (PDF)
3. Summary of the Rules (PDF)
4. Regulatory Impact Statement - SAPA (PDF)
5. Executive Order No. 17 (PDF)

Limited Exclusion
Sec. 500.18(a) includes a limited exemption to the Regulations for otherwise Covered Entities. If
a CE has:
1. Fewer than 1,000 customers in each of the last 3 years, and
2. Less than $5M in gross annual revenue in each of last 3 fiscal years, and
3. Less than $10M in year-end total assets per GAAP (including any affiliates for purposes
of the total asset calculation),
Then such entities are exempt from the Regulations' requirements involving maintenance of
specific cybersecurity personnel, app development, multi-factor authentication, training,
encryption, audits and audit trails, and conducting vulnerability tests.
Regulations Short List

 Programs - A comprehensive Cybersecurity Program covering eight core functions.

 Policies - A written Cybersecurity Policy, Third-Party Infosec Policy, and Incident
Response Plan, each of which must address specific required items.
 Personnel - Training, monitoring, appointment of a “qualified individual” as CISO, and
“sufficient” cybersecurity personnel. (Outside third parties can handle these functions.)
 Technology - Infosec technology and practices, including: MFA, encryption (at rest and
in transit), data retention limits, six years of audit train records, mandated training for all
employees and specific cybersecurity training, and testing/risk assessment (including
quarterly vulnerability assessments and annual penetration testing).
 Third Party Vendor Requirements – Annual assessment of vendors’ cybersecurity
practices and mandated contractual terms “to the extent applicable”, including: use of
MFA, encryption, “prompt” notice of “any” Cybersecurity Event, ID protection services for
customers, rep that any service or product is free of viruses, etc., and right to perform
“cybersecurity audits”.
 Page 9 of 20

Reporting & Certification that includes:

 A CISO-written report to the Board of Directors at least twice a year (which the DFS can
request).
 Reporting to NYDFS of certain “Cybersecurity Events” within 72 hours of discovery.
 Annual compliance certification by BoD or “Senior Officer(s)” with the NYDFS
Regulations YDFS by January 15th of each year (with maintenance for five years of
“records, schedules and data” supporting the certification).

The Cybersecurity Program

This Cybersecurity Program’s purpose is to ensure “confidentiality, integrity and availability” of
Information Systems. It must address:

 Minimum of 6 Core Functions – Identify cyber risks, defensive infrastructure,

Cybersecurity Event detection, response and mitigation, recovery, and regulatory
reporting.
 Annual penetration testing and quarterly vulnerability testing.
 Detailed audit trail logging and data retention.
 Appropriate access privilege settings and access limitations.
 Risk-based policies, procedures, and controls to monitor unauthorized access.
 Encryption of all Nonpublic Information – At rest and in transit.
 Data retention limits and timely destruction of NPI no longer necessary.
 Regular cybersecurity awareness training for all employees.
 Secure application development – Both internal & external.
 Written incident response plan.
 Review and approval by the CISO annually.

The Cybersecurity Policies

Cybersecurity Policy detailing procedures for the protection of NPI and Information Systems
must at minimum address 14 areas that are broad and open-ended (e.g., “capacity and
performance planning, customer data privacy, risk assessment, data governance and
classification, etc.):

 May require existing Cybersecurity Policies to be reviewed and expanded given broad
definition of NPI.
 Must be updated “as frequently as necessary” but at least annually.
 Require a third-party Information Security Policy to ensure security of NPI and
Information Systems “accessible to or held by” third parties.
 Identify these parties and performing risk assessments.
 Specify minimum cybersecurity practices that third parties must meet.
 Detail due diligence processes to determine third-party cybersecurity adequacy.
 Implement an annual assessment of third parties' cybersecurity practices.
 Page 10 of 20

Personnel
Chief Information Security Officer:

 Must be designated, “qualified”, and held responsible for the oversight, implementation,
and enforcement of the Cybersecurity Program and Policy.
 Can be met through third-party service providers (“outsourced CISO”)
 72 Hour Notifications to NYDFS and DFS can request all CISO reports.
 Additional reading: http://www.ccsinet.com/candidates-qualities-ciso-career-job/

New IT security personnel requirements:

 Must “employ cybersecurity personnel sufficient to manage” cybersecurity risks and

perform core cybersecurity functions.
 Regular “cybersecurity update and training sessions” for all cybersecurity personnel (and
annual cybersecurity training for everyone else).
 Require “key” cybersecurity personnel to “stay abreast of” cybersecurity threats and
countermeasures.
 Covered Entities can use “qualified third party” to assist these personnel requirements.

Third Party Vendor Requirements

The following are bullet points for Third Parties with respect to the regulation:

 Separate written Third-Party Information Security Policy.

 Periodic (at least annually) assessments of third-party cybersecurity practices.
 Written minimum cybersecurity practices third parties must meet “in order for them to do
business” with Covered Entity. Typically contract Exhibit add-on.
 Contractual provisions for third-party contracts requiring the vendor “to the extent
applicable” to agree to:
1. Multi-Factor Authentication
2. Encryption in transit and at rest
3. Prompt notice for any Cybersecurity Event (even one not containing Covered
Entity NPI) affecting the third-party vendor
4. Offer identity protection services (for unspecified length of time) to any Covered
Entity customers “materially impacted” by Cybersecurity Event due to third
party’s “negligence or willful misconduct”
 Reps and Warranties of no viruses, trap doors, time bombs, “and other mechanisms that
would impact the security” of CE’s Information Systems or NPI
 “Right of Covered Entity or its agents to perform cybersecurity audits” of the third party
 Page 11 of 20

Reporting and Notices

As stated in the proposed regulation, the following will be applicable:

 Biannual CISO report to board, which the DFS can request:

o Must assess security status, detail exceptions to cybersecurity
policies/procedures, identify cyber risk to CE, assess “effectiveness” of
cybersecurity program, list remediation steps for any identified items, and
summarize “all material Cybersecurity Events” that affected CE during time
period of report.
 Annual Certification to DFS by Jan 15 of each year using form specified by Regs
o Certification that Board or Senior Office have reviewed “documents, reports,
certifications and opinions” as necessary, that “to best of knowledge” CE
complies with Regs, and documents any areas requiring “material improvement,
updating or resign” and any “remedial efforts planned and underway” as to such
areas.
 Must notify DFS Superintendent within 72 hours of discovery of (1) all Cybersecurity Events
with “reasonable likelihood of materially affecting the normal operation of the CE or that
affects NPI” and (2) of any identified “material risk of imminent harm” relating to CE’s
cybersecurity program.

What follows are a series of mappings based on the current proposed information by NYDFS.
As the final details are released these will be subject to become optional but it is highly
recommended that they be strongly considered since the intent of any security policy is for
businesses to protect their customers and to provide confidentiality, integrity, and availability
 Page 12 of 20

Quick Review of the Sections

1. Risk Assessment (Section 500.09)
2. Access Privileges (Section 500.07)
3. Multi-Factor Authentication vs. Risk-Based Authentication (Section 500.12)
4. Penetration Testing vs Vulnerability Assessments (Section 500.05 )
5. Application Security (Section 500.08)
6. Audit Trail & Data Retention (Section 500.06 &.14)
7. Encryption (Section 500.15)
8. Incident (Breach) Response (Section 500.16)

1) Risk Assessment (Section 500.09)

“Annually”, “conduct a risk assessment”, “in accordance with written policies and procedures”,
that are “documented” and that “includes” a “criteria for the evaluation and a categorization of
identified risks” considering “confidentiality, integrity, and available” of “systems” and the related
“adequacy of existing controls”
Best Practices

 Industry Best Practice Frameworks:

o FFIEC Cybersecurity Assessment Tool
o National Institute of Standards and Technology (NIST) CyberSecurity Self-
Assessment Tool
o US Cert Cyber-Resilience Review

2) Access Privileges (Section 500.07)

“Limit access”, “to nonpublic information”, “to those individuals that require such access”, “to
perform their responsibilities” and “periodically review such access”
Best Practices
“Key” features and/or controls that need to be embedded within “Identity Management” solutions
and/or the internal control environment:
o Account Request Management - Ability to request, establish, modify,
and/or terminate access.
o Role-Based Access - Ability to manage groups, roles, permissions, and/or
resources based on function/responsibility.
o User Provisioning - Ability to periodically retrieve and recertify access
based on organizational hierarchies and ownership.
 Page 13 of 20

3) Multi-Factor Authentication vs. Risk-Based Authentication (Section 500.12)

“Multi-Factor Authentication” requires “two of the following types of factors: 1) “Knowledge
factors, such as a password”, 2) “Possession factors, such as a token or text message on a
mobile phone” and/or 3,) Inherence factors, such as a biometric characteristic”.
Best Practices
o Multi-Factor Authentication
1. Knowledge Factors
2. Possession Factors
3. Inherence Factors
o Risk-Based Authentication requiring additional verification
1. Device Security
2. Concurrent Login
3. Stale Account Login
4. Failed Login Attempts Exceed Thresholds
5. Behavioral Profiling

1. “Multi-Factor Authentication” required “for any individual accessing the Covered Entity’s
internal systems or data from an external network”.
2. “Multi-Factor Authentication” required for “privileged access” to database servers that
allow access to Nonpublic Information.
3. “Risk-Based Authentication” required “in order to access web applications that capture,
display or interface with Nonpublic Information”.
4. “Multi-Factor Authentication” required “for any individual accessing web applications that
capture, display or interface with Nonpublic Information”.
 Page 14 of 20

4) Penetration Testing vs Vulnerability Assessments Practices (Section 500.05 )

“Vulnerability assessment of”, “Information Systems at least quarterly”.
“Penetration testing” of “Information Systems at least annually”.

5) Application Security (Section 500.08)

“Written procedures, guidelines and standards designed to ensure the use of secure
development practices for in-house developed applications” and “assessing and testing the
security of all externally developed applications”.
o Industry Best Practice Frameworks:
1. Open Web Application Security Project (OWASP)
2. Web Application Security Consortium (WASC)
3. Others: The Federal Financial Institutions Examination Council
(FFIEC), and the National Institute of Standards and Technology
(NIST).
o Industry Principles:
1. Configuration Management
2. Secure Transmission
3. Authentication & Authorization
4. Session Management
5. Data Validation,
6. Output Encoding and Escaping
7. Cryptography
8. Error Handling
9. Risk Functionality
 Page 15 of 20

6) Audit Trail & Data Retention (Section 500.06 &.14)

“Cybersecurity program” that includes the ability to “track and maintain data” for the complete
and accurate reconstruction of all transactions and accounting”, the “logging of all privileged
user access to critical systems”, that “protects the integrity” of any “audit trail” or “hardware”,
“from alteration or tampering” that is maintained “for not fewer than six years”.
o Privileged Account Best Practices
1. Create and enforce policies that forbid the use of single, “all powerful” accounts.
2. Privileged Account Password Tools (one time password generation/expiration)
3. Leveraging privilege account monitoring & logging tools (e.g., Sudo, User
Session Monitoring & Recording Solutions, Virtual/Physical Jump Stations)
o Audit Logging Best Practices
1. Log events should be defined so human can read and understand
2. Events need to be timestamped
3. Unique Identifiers should be defined for each auditable activity (IDs)
4. Log in a text format (not binary)
5. Identify the source of the event
6. Limit the ability to access logs and restrict the ability to modify logs

7) Encryption (Section 500.15)

“Encrypt all nonpublic information” “in transit” within “one year from the date this regulation
become effective” or “five years” for nonpublic information “at rest” with adequate
“compensating” control between the regulation effective date and transition period.

8) Incident (Breach) Response (Section 500.16)

“Establish a written incident response plan designed to promptly respond to, and recover from,
any Cybersecurity Event”

o Policy
1. Team
2. Response Plan/Strategy
3. Communication
4. Documentation
5. Training
6. Testing
o Identification
o Containment
o Eradication
o Lessons Learned
 Page 16 of 20

Final Version of Regulation

On February 16, 2017, the New York Department of Financial Services (the “DFS”) released
a final version (the “Final Regulation”) of its proposed regulation, previously released in an
earlier revised form on December 28, 2016, that would require banks, insurance companies,
and other financial services institutions regulated by the DFS to adopt broad cybersecurity
protections (the “Proposal”).

Although the Final Regulation retains most of the content of the Proposal discussed herein, the
Final Regulation departs from the Proposal by:

 Expanding the types of entities that can qualify for an exemption from coverage by the Final
Regulation (such as certain insurance companies) and identifying the sections of the Final
Regulation from which such entities are exempt;

 Clarifying that the gross annual revenue calculation relating to an exemption for smaller
entities is based only on the Covered Entity’s and its Affiliates’ New York business
operations;
 Clarifying that the employee calculation relating to an exemption for smaller entities is based
on the location of such employees of the Covered Entity or its Affiliates in New York or
whether such employees are responsible for the Covered Entity’s business;

 Broadening the requirement to notify the DFS of certain Cybersecurity Events: In the
Proposal, to warrant notification to the DFS, a Cybersecurity Event had to meet two
conditions: (1) be a Cybersecurity Event of which notice is required to be provided to a
government body, self-regulatory agency or any other supervisory body, and (2) have a
reasonable likelihood of materially harming any material part of the Covered Entity’s normal
operations. In the Final Regulation, if a Cybersecurity Event meets either of these
conditions, the Covered Entity must notify the DFS of such Cybersecurity Event within 72
hours; and

 Relaxing the record retention requirements for audit trail records from six years to three
years.

Under the Final Regulation, subject to certain exemptions, any individual, partnership,
corporation, association or other entity operating under or required to operate under a license,
registration, charter, certificate, permit, accreditation or similar authorization under the New York
Banking Law, Insurance Law or Financial Services Law (a “Covered Entity”) is required to:

 Establish a Cybersecurity Program designed to ensure the security of the Covered Entity’s
information systems, which must include: information and systems security, data
governance and classification, asset inventory and device management, access controls,
disaster recovery plans, a Risk Assessment, vendor and third-party service provider
management, and a written Incident Response Plan;
 Adopt a written Cybersecurity Policy;
 Page 17 of 20

 Designate a Chief Information Security Officer (“CISO”) responsible for implementing,

overseeing and enforcing the cybersecurity program and policy; and
 Comply with notice and reporting requirements, which include: reporting certain
Cybersecurity Events to the DFS within 72 hours, and submitting annual compliance
certifications to the DFS by February 15 of each year.

The Final Regulation is effective March 1, 2017 and establishes the following four compliance
deadlines:

 For requirements not specifically addressed below, the compliance deadline is September
1, 2017.

 For the requirements in sections 500.04(b) (Chief Information Security Officer Report),
500.05 (penetration testing and vulnerability assessments), 500.09 (risk assessment),
500.12 (multi-factor authentication), and 500.14(b) (cybersecurity training for personnel), the
compliance deadline is March 1, 2018.

 For the requirements in sections 500.06 (audit trail), 500.08 (application security), 500.13
(limitations of data retention), 500.14(a) (implementation of policies and procedures
regarding monitoring), and 500.15 (encryption of nonpublic information), the compliance
deadline is September 1, 2018.

 For the requirements in section 500.11 (Third Party Service Provider Security Policy), the
compliance deadline is March 1, 2019.

Since there is a short period of time before the first compliance deadline of September 1, 2017,
Covered Entities should start formulating a plan to comply with the Final Regulation.

 If a Covered Entity qualifies for an exemption, it must file a Notice of Exemption with the
DFS.
 If a Covered Entity does not qualify for an exemption, it must prepare the following
documents:
1. Cybersecurity Policy;
2. Incident Response Plan;
3. Documentation of the required Risk Assessment;
4. Certification of Compliance to be submitted to the DFS (and relevant
attachments);
5. Annual report to be delivered by the CISO to the Covered Entity’s board of
directors; and
6. Third Party Service Provider Security Policy.
 Page 18 of 20

Conclusion
The DFS requires the following of your cybersecurity program:
 Identification of cyber risks.
 Implementation of policies and procedures to protect unauthorized access/use or other
malicious acts.
 Detection of cybersecurity events.
 Responsiveness to identified cybersecurity events to mitigate any negative events.
 Recovery from cybersecurity events and restoration of normal operations and services

Covered Entities include the following types of entities, among others, chartered or licensed by
the NYDFS.

 Insured depository institutions;

 Branches, agencies or offices of a non-U.S. bank;
 Trust companies;
 Credit unions;
 Check cashers;
 Money transmitters;
 Institutions with BitLicenses;2 and
 Mortgage brokers.

Institutions that would not be Covered Entities include, for example:

 National banks or banks chartered in other states, including their New York branches;
 Federal credit unions;
 Broker-dealers;
 OCC-chartered branches or agencies of non-U.S. banks; and
 An affiliate of a Covered Entity that is not itself a Covered Entity.
 Page 19 of 20

Additional Resources
CCSI’s Information Security practice group has formulated a plan of action and scope of work
for its clients who are covered by the Final Regulation.

Contact your relationship manager at CCSI for assistance.

CCSI’s Security Lifecycle Framework provides organizations with the ability to work with CCSI
to choose, integrate and operate a wide range of security technologies across the IT enterprise,
centralize threat intelligence management & orchestration, and automate responses to threats
without waiting for human intervention

CCSI Security Practice Group Framework

Creating a partnership to plan, design, integrate and optimize a variety of security technologies
enables our customers to have a rapid threat identification, isolation, and elimination strategy in
hand. Leveraging our 24x7 Security and Network Operations Center (SNOC), will free up critical
and scarce security resources for other needs within the organization.

Security managers are faced with security product challenges at every turn. Next Generation
Firewalls (NGFW), endpoint protection systems, Data Loss Prevention (DLP), malware
sandboxes, and other security technologies are often purchased as stand-alone technologies,
requiring high degrees of integration effort in order to harmonize their functions and capitalize
on their potential value.

The CCSI Security Lifecycle Framework enables a consistent security policy and strategy
between the numerous head-spinning choices of point security technologies. Malware
 Page 20 of 20

signatures, system changes, poisoned web sites, endpoint vulnerabilities, and a wide range of
other security issues can be automatically managed through CCSI’s SNOC and through our
advanced breach detection platform called, Threat Detect.

CCSI empowers a security architecture strategy that can automatically identify and manage a
wide range of network security issues so you can focus on what’s most important - your
business.

The CCSI Security Framework does not stop at the edge of your enterprise. CCSI customers
also have the added benefit of being able to work directly with our security analysts to analyze
and identify potential malware discovered within your environment. Based on run book
procedures, CCSI’s analysts can isolate and take action before an incident occurs.

Use your resources wisely by leveraging the power of CCSI’s Security Lifecycle Framework.

For More Information

www.ccsinet.com/resources

For more information, please contact Jessica Olivieri at ccsi.marketing@ccsinet.com

https://twitter.com/ccsinet

https://www.facebook.com/ccsinet1/

https://www.linkedin.com/company/contemporary-computer-services-inc-ccsi-/