The New York State Department of Financial Services has adopted a new cyber security regulation for all banking, insurance, and financial institutions that conduct business in New York State.
The new law is in effect as of 01 March, 2017. Firms that have more than 10 employees or that meet the specific gross revenue requirements detailed in the regulation over the course of three years must abide by the full regulation. Organizations that do not meet the revenue and staffing requirements will still have to abide by many of the requirements of the regulation.
Within security and legal communities, it is widely believed that this regulation will be the template that many other states will use to enact similar regulations. New York State has assumed somewhat of a leadership position with this law.
The regulation, known as “23 NYCRR part 500” prescribes the following:
Within 180 days of the effective date (August 28, 2017), all affected organizations (known as “Covered Entities”) must:
- Designate a person as a Chief Information Security Officer (this can be a third-party).
- Develop a cyber security program.
- Review access privileges for all people who have access to non-public personally identifiable information (PII).
- Develop cyber security policies.
- Develop a cyber incident response plan.
- Utilize qualified cyber security personnel and intelligence (this may also be provided by a third party.
By February 15, 2018, the designated CISO must file the first certification of the organization’s compliance with the regulation.
12 months after the effective date (01 March, 2018), all affected organizations must:
- Present a report from the CISO outlining the cyber security practice of the organization.
- Conduct annual penetration tests and bi-annual vulnerability scans of all financial systems that hold personally Identifiable information.
- Conduct a risk assessment of all in-scope systems.
- Use multi-factor authentication for access to financial systems (unless the CISO establishes reasonably equivalent security for system access).
- Establish a cyber security awareness training program in the organization.
18 months after the effective date (04 September, 2018), all affected organizations must:
- Establish a mechanism to provide a five-year audit trail of financial transactions as well as a three-year mechanism to reconstruct financial transactions.
- Establish limitations on data retention.
- Review application security for all in-house developed applications.
- Establish risk-based policies and controls for authorized users.
- Use encryption to protect affected data (unless the CISO establishes compensating controls for the use of encryption).
2 years after the effective date (01 March, 2019), all affected organizations must:
- Establish a security policy for access by all third-parties with whom the covered entity conducts business.
This regulation underwent two revisions prior to its final release. The original regulation was very strict, and many of the requirements of the original proposal were moderated so as not to cripple small and medium-sized businesses.
The effects of this regulation are rippling through many organizations, as it places direct responsibility for cyber security on the Board of Directors or any similar senior management positions within a covered entity. Cyber security has truly hit the C-Suite in New York State. The big question now is: will other states follow New York’s lead?