Fall is here. This is the time of year when the nights are getting colder, and the days are brisk and breezy. It’s also time to get the house in order for the impending winter season. Just like the changing seasons, cybersecurity threats are changing as well. With the recently enacted NY DFS ( New York Department of Financial Services) requirements, it’s time to get your cybersecurity house in order.
With little mention by executives, boards, and regulators just a few years ago, cybersecurity threats and associated programs to address them are rapidly gaining attention today in almost every company across multiple industries. Industries with highly sensitive data are big targets for cyber criminals intent on stealing this data and monetizing if for their own gain. With the volume of sensitive data involved in the mortgage industry, the cyber threat landscape is a constant reminder of the need for proactive cybersecurity programs led and managed by skilled practitioners. Executives and company boards are increasingly concerned with this new age of cyber attacks and are looking for the right combination of risk mitigation and business value from a strong, well-run program while meeting compliance requirements like those from NY DFS.
Earlier this year, NY DFS issued a set of cybersecurity regulatory requirements that were considered a first among state regulators. Titled “Cybersecurity Requirements for Financial Services Companies,” designated as 23 NYCRR 500, and referred to as simply Part 500, this list raises the bar for cybersecurity preparedness and regulatory reporting in the financial services industry. Issued by NY DFS in its final form in February with an effective date of March 1, 2017, it includes several compliance dates that are important to note. Figure 1 illustrates the compliance timeline. This new regulation includes cybersecurity requirements that will likely affect all organizations in some way. Let’s take a look at how we got here, who this applies to, and the key requirements that may change the cybersecurity programs within your company.
Traditional Regulatory Environment and NY DFS
For many years, regulatory requirements at the federal level have been in place to provide appropriate guidance on protecting sensitive data within the financial services industry, including mortgage lending. While not specific on implementation, protecting confidential consumer information has been promulgated with various laws for some time. The Gramm-Leach-Bliley Act (GLBA) Safeguards Rule is a prime example of this type of federal requirement. Many states, for their part, have issued laws that create a patch work of security breach notification and reporting rules. Perceived gridlock at the federal level on cybersecurity regulation is prompting states to look at issuing their own requirements. While NY DFS is the first to do so, we will likely see similar regulations from other states in future.
Applicability of the NY DFS Regulation
Part 500 applies to Covered Entities that operate under a license, registration, charter, certificate, permit, accreditation, or similar authorization under Banking, Insurance, or Financial Services Laws. The regulation also requires Covered Entities to file a Certification or Compliance by February 15 of each year beginning in 2018. This annual filing is required to attest to compliance with applicable sections of the regulation. The scope of data covered in Part 500 is also defined within the new regulation. “Nonpublic Information” as defined in Part 500 includes not only individual information similar to GLBA but also business related information about your organization and individual health care information in any form. While this is not out of the ordinary for information generally included as part of an enterprise cybersecurity program, the specific definition within this regulation is important to know. There are provisions within Part 500 that may allow some smaller organizations to file an exemption to the regulation. Partnering with your legal department on understanding this new regulation and how it applies to your organization is a key first step.
Key Aspects of the Regulation
For those in the security or cyber risk areas within their respective organizations, the topics covered in Part 500 will be familiar, and many align with standard industry practice designed to protect access to technology assets and sensitive data. It’s worth reviewing some key sections of Part 500 and consider them as you work toward compliance and the 2018 filing deadline.
Risk Assessments: This is a key theme in Part 500, as many sections indicate applicability of controls within an organization can be based on the outcome of a risk assessment process. This is a baseline practice in well-run cybersecurity programs and is often performed periodically to define changes and areas of improvement. Knowing where your data is and how it enters and exits your environment is key to producing a comprehensive and high value risk assessment deliverable. Formal business process documentation with data flow diagrams are important to this process and should be available to assist in the risk assessment activity.
Formal Program and CISO Appointment: Part 500 specifically requires a cybersecurity program be implemented and that it include core cybersecurity functions. Appointment of a qualified individual to lead the program, or Chief Information Security Officer (CISO), is required. The CISO must provide an annual report to the Board of Directors or equivalent governing body for the company and approve changes or other mitigating controls per specific sections of Part 500. Additionally, the program must maintain audit trails with five-year retention for normal business operations and three years for cybersecurity events. The former points directly to the need for adequate business continuity practices to restore normal business operations following an event. The latter audit requirement is focused on security-related log data and is longer than standard practice in most industries. This can lead to much larger volumes of log data that may not be of high value. This presents an opportunity to review security logging practices for relevance and effectiveness and reduce storage of logging data types to that which are essential to meeting incident analysis and event investigation procedures.
Data Encryption: Encryption of data at rest and in transit is a requirement within Part 500. If infeasible, permitted use of alternative compensating controls as approved by the CISO can be used. Feasibility and effectiveness must be reviewed annually by the CISO. While encryption of data in transit has been implemented by many organizations, encryption of data at rest may be more problematic for older legacy systems in use within some companies. Simply encrypting data at rest in legacy systems and data stores may cause application disruption and associated downtime. Team with your IT department to understand the risk of implementing encryption at rest with legacy systems and the options for alternative compensating controls.
Incident Response: Part 500 requires a written incident response plan that covers processes, roles, communication, remediation requirements, documentation, and revision procedures. This is a fundamental component of any cybersecurity program and should be well documented and rehearsed. Success here will be necessary to meet the cybersecurity event notification requirement of Part 500.
Qualified Personnel and Training: Part 500 requires qualified cybersecurity personnel to manage and oversee the program as well as providing this team with appropriate training and cybersecurity updates. These personnel must maintain current knowledge of changing cybersecurity threats and countermeasures. Receiving data from appropriate threat intelligence sources is a key resource for cybersecurity personnel and is essential to understanding the changing threat landscape. Additionally, cybersecurity awareness training for all employees is required on a periodic basis and is critical for lowering cyber risk to the organization.
Third Party Security Risk Oversight: A key area of risk today and the focus of many data breaches in recent years. Part 500 requires a formal program to measure and mitigate risk from the use of third party service providers. Several of the requirements in Part 500 must be extended to third parties used by the Covered Entity. Appropriate contractual requirements must be in place as well. This requirement may be a time consuming process for many Covered Entities and therefore has the longest transition period of any specific requirement in the regulation.
Cybersecurity Event Notification and Annual Compliance Filing: Key to NY DFS oversight and compliance monitoring under this new regulation is formal notification within 72 hours of a determination that a cybersecurity event has occurred as well as annual compliance filings. There are specific qualifiers regarding event notification, but the requirement is tied, in part, to other regulators or government bodies that you may need to notify post-event. An example of this are the state breach notification laws. The annual filing requirement requires Covered Entities to retain the supporting documentation used to ascertain compliance, relative to the filing, for five years. These could be subject to NY DFS inspection and should be regarded as key business documentation and subject to treatment under your organization’s formal records management program.
Approach to Meeting the Requirements
Since a risk assessment is a baseline activity for many sections of Part 500, this should be an initial activity. This assessment should include, as part of the scope, an organization’s business operations, technology environment, and threat landscape. The result becomes the basis for security controls definition and program policy structure. Part of this assessment process includes knowing where your data is and who has access to it. Mapping your business processes and data flows is essential to completing any risk assessment that focuses on data protection. The risk assessment should be updated periodically as the business, technology environment and threat landscape changes.
Identify appropriate resources to lead and maintain the program including a CISO. If this position already exists within your organization, make sure the CISO understands their role in meeting this new regulation. As with many new compliance activities, this is a team sport. Partner with IT, legal, and business operations to understand and develop the appropriate program changes and updates to meet this new regulation.
While this is the most comprehensive cybersecurity requirement we have seen at the state level, it may not be the only one over time. A well-designed, risk-based cybersecurity program will provide a solid basis for meeting NY DFS Part 500 and should require only modest updates and process changes to obtain compliance and submit your annual filing with confidence.
Shawn H. Malone is Founder and CEO of Security Diligence, LLC and is a former security and business compliance executive in the mortgage insurance industry. He can be reached at SMalone@SecDiligence.com