The Empire State Lays Down the Marker on Cybersecurity
The Empire State Lays Down the Marker on Cybersecurity

by Elad Yoran, Executive Chairman of KoolSpan & CEO of Security Growth Partners and Natasha Cohen, Director for Cyber Policy and Client Strategy at BlueteamGlobal

The New York Department of Financial Services 23 NYCRR 500 Cybersecurity Requirements for Financial Companies went into effect on March 1st of this year.  While the requirements are New York based, given the state's concentration of financial services firms, the regulation reaches far beyond the Hudson River.

This article focuses on the implementation timeline – where companies should be as they work through the requirements.  Down the road, we'll examine the regulation's impact on future cybersecurity management.

NYDFS set out six-month milestones that serve as guides for compliance.  However, given the complexity and interrelated nature of a cybersecurity program with the business units it impacts, we advise companies to follow a more integrated timeline.

What Should Be Done Now

By now (July), covered entities should have determined who their Chief Information Security Officer (CISO) is, and whether they will outsource this role or keep it in house.  Deciding on a CISO early in the process is important because that person can help coordinate the rest of the implementation and he or she will need time to become familiar with the various parts of the cybersecurity program. Beyond the CISO, companies should also determine who else is designated as cybersecurity personnel.

In addition to defining the cybersecurity policies and personnel, at six months (September 1st), covered entities are also required to have a cybersecurity program designed to protect the confidentiality, integrity, and availability of information systems.  The program should be based on a risk assessment and include the requirements referenced in other sections of the regulation, such as controlled access to company systems (Access Privileges 500.07), incident response and information sharing (Incident Response Plan 500.16), and notification procedures (Notices to Superintendent 500.17).  

Getting Ready for Board Level Accountability

While many of the requirements due in the first year amount to basic cyber hygiene, a new requirement in NYDFS is that the CISO submit a report to the board of directors or equivalent governing body.  The board or a senior officer then needs to certify compliance to NYDFS by February 15th, 2018. 

This last element, the involvement of the Board of Directors and Senior Officers, is a significant shift.  Historically, cybersecurity activities have often been the sole domain of IT organizations, sometimes deep within the IT organization.  Elevating cybersecurity to the Board level raises its visibility and places responsibility, strategically, at the highest levels of the organization.

To prepare this report, covered entities should already be planning for and starting to execute penetration tests and vulnerability assessments, a cybersecurity risk assessment, and awareness training for all employees.  The assessments will no doubt unearth risk mitigation recommendations, so companies should give themselves time to make the improvements before the year is up.  Policies, procedures, and access privileges that were set as part of the prior phase should be reassessed at the conclusion of the risk assessment. 

The other big task for the one year milestone is the institution of Multi-Factor Authentication (MFA) or Risk-Based Authentication to protect against unauthorized access to Nonpublic Information or Information Systems. MFA is prescribed specifically for any method “of accessing a covered entity's internal networks from an external network.”  Assessing the feasibility of such features and implementing them is no small amount of work, so if companies have not already started, they should soon.

Broad Use of Encryption Coming Up

At one year and six months (September 1, 2018), covered entities are required to enable encryption (or other compensating controls) for the transmission or storage of nonpublic information. Since ‘nonpublic information' could cover everything from data stored in custom-built applications to e-mail messages to text messages to voice calls, companies should start planning for this step as early as possible.

On the Not So Distant Horizon

Near the end of this year, 2017, the CISO should start preparing the report for the Board or the governing body” that covers their company's cybersecurity program and material cybersecurity risks.  They should also start thinking about the other requirements due at eighteen months, including auditing and monitoring functions, increased application security, and information disposal procedures, as well as third party vetting, which is due at twenty-four months. 

The steps above outline an aggressive timeline for a lot of work, but the right steps taken in order will leave companies well prepared.  The best way to demonstrate successful implementation will be to utilize the risk assessment to inform decisions and implementation of security controls.  If a company can show that risk was analyzed, accepted, and/or mitigated appropriately then they should be in good shape.