NYDFS Cybersecurity Regulations : Discussing the Financial Cybersecurity Compliance Requirements

For years, governing agencies and leaders have held the “it won’t happen to us” mentality that comes with cyber attacks. However, threats are becoming more sophisticated at a faster rate than anyone ever expected. New techniques are emerging constantly to get around current security systems and compromise sensitive resources. The increasing likelihood of cyber attacks and the rising consequences associated with these events have grabbed the attention of federal and state legislators to better protect government entities and the public. In September 2016, the New York Department of Financial Services released a draft of its cyber security regulations known as 23 NYCRR Part 500, with the final version going into effect on March 1, 2017. This is a first-in-the-nation regulation that was aimed at protecting the state of New York and its financial institutions from cyber attacks.The initiative covers a large range of requirements, from establishing a cyber security program to how third-party service providers should be managed. Let’s take a closer look at the most important things to know about NYDFS cybersecurity regulations:

1. You Must Report All Cyber Attacks

Reporting cyber attack events is nothing new for businesses, but 23 NYCRR Part 500 places the obligation to report unsuccessful cyber attacks as well. According to The National Law Review, the regulation states that a cyber security event must have the reasonable likelihood of materially harming any part of normal operations, particularly attempts – successful or unsuccessful – to gain unauthorized access to information systems. Businesses within regulated industries must notify DFS of unsuccessful attacks that appear particularly significant based on the measures used to respond and the risk the company faces.

Reporting failed attempts is actually a positive thing for businesses all around. It not only demonstrates an organization’s protection capabilities to its customers, but also promotes information sharing to prevent similar instances at other companies. Following this requirement will not penalize leaders for their judgments, but rather help others to overcome advancing threats on an ongoing basis. Diverse companies can create a web of critical information dispersal to identify trends and create solutions to mitigate emerging threats.

2. Third-party Services Must Be Vetted More Severely

When an organization uses third-party services, they’re opening themselves up to potential risks, particularly if the provider doesn’t follow necessary compliance requirements. Consider the massive Target breach that occurred due to a vulnerability in a third-party system, enabling attackers to access Target resources and compromise financial information for millions of customers. The fallout of this attack led to public distrust and monetary losses for the company. Most organizations cannot afford to go through a situation like this, but it’s becoming more possible with the insecurity of third-party solutions.

The NYDFS cybersecurity regulations strives to ensure that such situations wouldn’t happen, placing stringent requirements on third-party risk management. Third parties are now required to meet minimum protection practices, conduct periodic assessments and ensure the continued adequacy of cyber security approaches. This can include encrypting data in transit and at rest, as well as establishing minimum information security protocols such as application whitelisting and usage monitoring. Organizations must negotiate written policies and procedures to ensure that third-party vendors support these cyber security regulations and create accountability.

3. There’s A Time Limit To Comply

As with many other regulations, covered entities under the 23 NYCRR 500 must come into compliance within a certain time limit. According to the NYDFS cybersecurity regulations, organizations need to meet the criteria by Aug. 28, 2017, unless otherwise specified in 23 NYCRR 500.22. The department also noted that it recognizes that some elements of the regulations will require longer transitional periods, but that a cyber security program along with related policies and procedures should be in place by the deadline. The NYDFS cybersecurity regulations will expect full compliance with requirements, and organizations cannot submit a certification unless they have met all applicable requirements at the time of certification. Financial institutions must submit the first certification under 23 NYCRR 500.17(b) by Feb. 15, 2018.

4. Businesses Need To Implement Continuous Monitoring

Your cyber security plan should include continuous monitoring to ensure that your systems are operating normally and detect any abnormal usage. The regulations noted that effective continuous monitoring can be achieved through a variety of tools and that no specific technology is required. This enables organizations to choose the combination of resources that will allow them to detect changes or activities within their information systems. This flexibility will not only make it easier to achieve compliance, but also empower organizations to choose the systems that are best for their infrastructure needs.

The NYDFS cybersecurity regulations may be the first of their kind, but they are certainly not the last. Organizations must implement continuous monitoring, vet third-party services, report all cyber attack attempts and adhere to compliance deadlines. By understanding these elements of the requirements, businesses can take one step closer to compliance and better protection.