Cybersecurity | Penetration Testing | Third Party Service Providers
Summary of New York Cybersecurity Requirements for Financial Services Companies
The New York Department of Financial Services announced on February 16, 2017 that Cybersecurity Requirements for Financial Services Companies (23 NYCRR 500) was passed into law with an effective date of March 1, 2017. Various transitional periods are prescribed, the earliest being 180 days and the latest being 2 years from the effective date. The first annual compliance certification must be completed by February 15, 2018.
While many firms have already proactively increased cybersecurity programs, compliance with the requirements under this law is a priority for New York. The Cybersecurity Requirements for Financial Services Companies rule is designed to promote the protection of customer information as well as the information technology systems of regulated entities by requiring each company to assess its specific risk profile and design a program that addresses risk in a robust fashion. Compliance programs will designation a Chief Information Security Officer and include policies and procedures that address penetration testing, vulnerability assessments, audit trails, access privileges, and multi-factor authentication, among other things. Notable limited exemptions include covered entities with fewer than 10 employees, or less than $5 million in gross annual revenue in each of the last three years, or less than $10 million in year-end total assets.
Effective Date: March 1, 2017
Annual Certification Due: February 15, 2018 (and yearly on this date thereafter)
- 180 days – All sections/subsections not listed below.
- 1 year – 500.04(b), 500.05, 500.09, 500.12 and 500.14(b)
- 18 months – 500.06, 500.08, 500.13, 500.14(a), 500.15
- 2 years – 500.11
Section 500.01 Definitions
Section 500.02 Cybersecurity Program:
- Each Covered Entity must maintain a cybersecurity program designed to protect the confidentiality, integrity and availability through core cybersecurity functions:
- Identify/assess internal and external cybersecurity risks
- Use defensive infrastructure and develop defensive policies and procedures to protect from unauthorized access, use or other malicious acts
- Detect/respond to cybersecurity events and recover/restore normal operations
- Fulfill regulatory reporting obligations
- All relevant documentation and information must be provided to the Superintendent of Financial Services upon request.
Section 500.03 Cybersecurity Policy:
- Each Covered Entity must implement and maintain written policies, based on the covered entity’s risk assessment, designed to protect information systems and nonpublic information. Where applicable, the following areas must be addressed:
- information security;
- data governance and classification;
- asset inventory and device management;
- access controls and identity management;
- business continuity and disaster recovery planning and resources;
- systems operations and availability concerns;
- systems and network security and monitoring;
- systems and application development and quality assurance;
- physical security and environmental controls;
- customer data privacy;
- vendor and Third-Party Service Provider management;
- risk assessment; and
- incident response.
Section 500.04 Chief Information Security Officer (CISO):
- Must designate a qualified individual responsible for oversight, implementation and enforcement. The CISO may be employed by the Cover Entity, an Affiliate or a Third-Party Service Provider.
- If the CISO is employed by an Affiliate or a Third-Party Service Provider, the Covered Entity must:
- Ensure compliance with CISO requirements
- Designate a senior member responsible for direction and oversight of CISO
- Require Third-Party to maintain a cybersecurity program that protects the Covered Entity
- 500.04(b) The CISO must report, in writing, at least annually to the Covered Entity’s board of directors (or equivalent). If there is not board or equivalent, the report must be to a Senior Officer. The report must review the program and material risks and, to the extent applicable, will include:
- The confidentiality of Nonpublic Information and the integrity and security of the Information Systems;
- The cybersecurity policies and procedures;
- Material cybersecurity risks;
- Overall effectiveness of the cybersecurity program; and
- Material Cybersecurity Events during the time period addressed by the report.
Section 500.05 Penetration Testing and Vulnerability Assessments
- The cybersecurity program must include monitoring and testing, developed in accordance with the risk assessment. Monitoring and testing must include continuous monitoring or period penetration and vulnerability testing. If the program does not include continuous monitoring:
- Penetration testing must be completed annually.
- Vulnerability assessments must be completed bi-annually.
Section 500.06 Audit Trail
- Must securely maintain systems that:
- Are designed to reconstruct material financial transactions sufficient to support normal operations and obligations (maintain records for 5 years)
- Include audit trails designed to detect and respond to Cybersecurity Events that have a reasonable likelihood of materially harming any material part of the normal operations (maintain records for 3 years)
Section 500.07 Access Privileges
- Must limit user access privileges to systems that provide access to nonpublic information
- Must periodically review access privileges
Section 500.08 Application Security
- Ensure secure development practices for in-house developed applications and evaluate/assess/test security of externally developed applications
- All procedures/guidelines/standards used to ensure security must be periodically reviewed/assessed and updated as necessary by the CISO (or designee)
Section 500.09 Risk Assessment
- Must conduct periodic risk assessments and update the risk assessment as reasonably necessary.
- Must be documented
- Must be carried out in accordance with the following written policies and procedures:
- Criteria for the evaluation and categorization of identified cybersecurity risks or threats;
- Criteria for the assessment of the confidentiality, integrity, security and availability of Information Systems and Nonpublic Information, including the adequacy of existing controls in the context of identified risks; and
- Requirements describing how identified risks will be mitigated or accepted based on the Risk Assessment and how the cybersecurity program will address the risks.
Section 500.10 Cybersecurity Personnel and Intelligence
- Personnel utilized may be employees of the Cover Entity, an Affiliate or a Third-Party Service Provider
- Must utilize qualified cybersecurity personnel sufficient to manage cybersecurity risks and to perform/oversee performance of core cybersecurity functions
- Must provide cybersecurity personnel with cybersecurity updates and training sufficient to address relevant cybersecurity risks; and
- Must verify that key cybersecurity personnel take steps to maintain current knowledge of changing cybersecurity threats and countermeasures.
Section 500.11 Third-Party Servicer Provider Security Policy
- Must implement written policies and procedures, based on the risk assessment, designed to ensure security on information accessible to, or held by, Third-Party Service Providers that include:
- Identification and risk assessment of Third-Party Service Providers;
- Minimum cybersecurity practices required to be met by Third-Party Service Providers;
- Due diligence processes used to evaluate the adequacy of cybersecurity practices of Third-Party Service Providers; and
- Periodic assessment of Third-Party Service Providers based on risk and adequacy of their cybersecurity practices.
- Policies and procedures must include relevant guidelines for due diligence and/or contractual protections relating to Third-Party Service Providers including:
- Access controls;
- Use of encryption;
- Notice of a Cybersecurity Event directly impacting the Covered Entity;
- Representations and warranties addressing the Third-Party Service Providers cybersecurity policies and procedures.
- EXCEPTION: An agent/employee/representative/designee of a Covered Entity who is itself a Covered Entity need not develop its own Third Party Information Security Policy if the agent, employee, representative or designee follows the policy of the Covered Entity.
Section 500.12 Multi-Factor Authentication
- Must use effective controls, based on risk assessment. This may include use multi-factor authentication or risk-based authentication.
- Multi-Factor Authentication must be utilized for any individual accessing internal networks from an external network, unless the CISO has approved in writing the use of reasonably equivalent or more secure access controls.
Section 500.13 Limitations of Data Retention
- Policies and procedures must address periodic disposal of Nonpublic Information that is no longer needed for legitimate business purposes and is not otherwise required to be retained by law or where targeted disposal is not reasonably feasible due to the manner in which the information is maintained.
Section 500.14 Training and Monitoring
- 500.14(a) Must implement risk-based monitoring of activity and detection of unauthorized access or use of, or tampering with, nonpublic information.
- 500.14(b) Must provide regular cybersecurity awareness training for all personnel that reflects risks identified in the risk assessment.
Section 500.15 Encryption of Nonpublic Information
- Based on the risk assessment, implement controls, including encryption, to protect nonpublic information held or transmitted both in transit over external networks and at rest.
- If encryption in transit over external networks or at rest is not feasible, effective alternative compensating controls may be used if reviewed and approved by the CISO at least annually.
Section 500.16 Incident Response Plan
- Must establish a written incident response plan designed to promptly respond to and recover from any material Cybersecurity Event that addresses the following areas:
- Internal processes for responding to a Cybersecurity Event;
- Goals of the incident response plan;
- Definition of clear roles, responsibilities and levels of decision-making authority;
- External and internal communications and information sharing;
- Identification of requirements for the remediation of any identified weaknesses in Information Systems and associated controls;
- Documentation and reporting regarding Cybersecurity Events and related incident response activities; and
- Evaluation and revision as necessary of the incident response plan.
Section 500.17 Notices to Superintendent
- Must notify superintendent as promptly as possible, but in no event later than 72 hours from a determination that a Cybersecurity Event has occurred where:
- Notice is required to be provided to any government body, self-regulatory agency or any other supervisory body; or
- There is a reasonable likelihood of materially harming any material part of normal operations.
- Annually, by February 15, must submit a written statement covering the prior calendar year (Appendix A). All documentation supporting this certification must be maintained for 5 years. Documentation of identification of needed material improvements/updates and any related remedial efforts must be maintained as well.
Section 500.18 Confidentiality
- Information provided by a Covered Entity pursuant to this Part is subject to exemptions from disclosure under the Banking Law, Insurance Law, Financial Services Law, Public Officers Law or any other applicable state or federal law.
Section 500.19 Exemptions
- Each Covered Entity that fits into one of the following categories is exempt from certain subsections (listed below).
- Fewer than 10 employees, including any independent contractors, of the Covered Entity or its Affiliates located in New York or responsible for business of the Covered Entity, or
- Less than $5,000,000 in gross annual revenue in each of the last three fiscal years from New York business operations of the Covered Entity and its Affiliates, or
- Less than $10,000,000 in year-end total assets, calculated in accordance with generally accepted accounting principles, including assets of all Affiliates.
These categories are exempt from the following subsections: 04 – Chief Information Security Officer, 05- Penetration Testing and Vulnerability Assessments, 06 – Audit Trail, 08 – Application Security, 10 – Cybersecurity Personnel and Intelligence, 12 – Multi-Factor Authentication, 14 – Training and Monitoring, 15 – Encryption of Nonpublic Information, 16 – Incident Response Plan
- An employee/agent/representative/designee of a Covered Entity, who is itself a Covered Entity, is exempt to the extent that the employee, agent, representative or designee is covered by the cybersecurity program of the Covered Entity.
- A Covered Entity that does not directly or indirectly operate, maintain, utilize or control any Information Systems, and that does not, and is not required to, directly or indirectly control, own, access, generate, receive or possess Nonpublic Information shall be exempt from these requirements: 02 – Cybersecurity Program 03 – Cybersecurity Policy 04 – Chief Information Security Officer, 05- Penetration Testing and Vulnerability Assessments, 06 – Audit Trail, 07 – Access Privileges 08 – Application Security, 10 – Cybersecurity Personnel and Intelligence, 12 – Multi-Factor Authentication, 14 – Training and Monitoring, 15 – Encryption of Nonpublic Information, 16 – Incident Response Plan
- A Covered Entity under Article 70 of the Insurance Law that does not and is not required to directly or indirectly control, own, access, generate, receive or possess Nonpublic Information other than information relating to its corporate parent company (or Affiliates) shall be exempt from these requirements: 02 – Cybersecurity Program 03 – Cybersecurity Policy 04 – Chief Information Security Officer, 05- Penetration Testing and Vulnerability Assessments, 06 – Audit Trail, 07 – Access Privileges 08 – Application Security, 10 – Cybersecurity Personnel and Intelligence, 12 – Multi-Factor Authentication, 14 – Training and Monitoring, 15 – Encryption of Nonpublic Information, 16 – Incident Response Plan
- A Covered Entity that qualifies for any of the above exemptions pursuant to this section shall file a Notice of Exemption in the form set forth as Appendix B within 30 days of the determination that the Covered Entity is exempt.
- The following Persons are exempt from the requirements of this Part, provided such Persons do not otherwise qualify as a Covered Entity for purposes of this Part: Persons subject to Insurance Law section 1110; Persons subject to Insurance Law section 5904; and any accredited reinsurer or certified reinsurer that has been accredited or certified pursuant to 11 NYCRR 125.
- In the event that a Covered Entity, as of its most recent fiscal year end, ceases to qualify for an exemption, such Covered Entity shall have 180 days from such fiscal year end to comply with all applicable requirements of this Part.
Section 500.20 Enforcement
- Enforced by superintendent
Section 500.21 Effective Date
- March 1, 2017
Section 500.22 Transitional Periods – see above.
Section 500.23 Severability