One of the nation’s most comprehensive cyber-security compliance regimes is coming into cleared focus in New York.
Beginning on Feb. 15, a staggered slate of compliance deadlines began affecting financial services firms, including some of the world’s biggest banks. First up: compliance certification filings and executive/director attestations. Covered entities were required to submit a statement of compliance, covering the prior calendar year, filed electronically via a recently launched New York Department of Financial Services cyber-security portal.
Financial Services Superintendent Maria Vullo also announced that DFS will now incorporate cyber-security in all examinations, adding questions related to cyber-security to “first day letters,” notices the Department issues to commence its examinations of financial services companies, “including examinations of banks and insurance companies for safety and soundness and market conduct.”
“The DFS compliance certification is a critical governance pillar for the cyber-security program of all DFS regulated entities,” Vullo said in a statement. “DFS’s regulation requires each entity to have an annual review and assessment of a program’s achievements, deficiencies, and overall compliance with regulatory standards, and the DFS cybersecurity portal will allow the safe and secure reporting of these certifications. DFS’s goal is to prevent cyber-security attacks, and we therefore will now include cyber-security in all DFS examinations to ensure that proper cyber-security governance is being practiced by our regulated entities.”
New York’s first-in-the-nation cyber-security regulation became effective March 1, 2017, with a staggered set of deadlines. The agency’s regulations will impose a host of new security, personnel, attestation, and reporting requirements.
Those rules will require that banks, insurance companies, and other financial services institutions overseen by the NYDFS establish a cyber-security program. Firms are also expected to adopt a written cyber-security policy; designate a chief information security officer responsible for implementing, overseeing, and enforcing its new program and policy; and have policies and procedures designed to ensure the security of information systems and non-public information accessible to, or held by, third parties.
“When it comes to cost, what some companies are struggling with is the cost of compliance versus the cost of security. In some instances, they already had strong programs; now they need to ensure that they are in compliance with these new standards.”
Jeffrey Taft, Partner, Mayer Brown
Each covered entity will be required to implement and maintain a written cyber-security policy detailing policies and procedures for the protection of information systems and the non-public information stored on those systems. At a minimum, they must address:
access controls and identity management;
business continuity and disaster recovery planning;
systems and network monitoring;
physical security and environmental controls;
customer data privacy;
vendor and third-party service provider management;
risk assessment; and
A cyber-security policy, prepared on at least an annual basis, must be reviewed by a firm’s board of directors and approved by a senior officer.
The CISO of each covered entity is required to develop a report, at least bi-annually, that is presented to the board of directors or equivalent governing body and made available to the superintendent upon request.
This report must assess the confidentiality, integrity, and availability of the firm’s information systems; detail exceptions to the cyber-security policies and procedures; identify cyber-risks; assess the effectiveness of the cyber-security program; propose steps to remediate any identified inadequacies; and include a summary of all material cyber-security events during the time period addressed by the report.
The cyber-security program should, at a minimum, include penetration testing of information systems at least annually and vulnerability assessments on a quarterly basis. The program must include audit trail systems that track and maintain data and allow for the complete, accurate reconstruction of all the financial transactions, and accounting necessary to detect and respond to a cyber-security event.
Firms must also implement written policies and procedures designed to ensure the security of information systems and non-public data accessible to, or held by, third parties doing business with them. On an annual basis, each firm will be required to provide the NYDFS superintendent a written statement certifying that they are in compliance with all requirements. The identification of any material risk of imminent harm relating to its cyber-security program requires that the superintendent be notified within 72 hours.
KEY DATES UNDER NEW YORK'S CYBER-SECURITY REGULATION
Feb. 15, 2018: Covered Entities are required to submit the first certification under 23 NYCRR 500.17(b) on or prior to this date.
March 1, 2018: One year transitional period ends.Covered Entities are required to be in compliance with the requirements of sections 500.04(b), 500.05, 500.09, 500.12 and 500.14(b) of 23 NYCRR Part 500.
Sept. 3, 2018: Eighteen month transitional period ends.Covered Entities are required to be in compliance with the requirements of sections 500.06, 500.08, 500.13, 500.14(a) and 500.15 of 23 NYCRR Part 500.
March 1, 2019: Two year transitional period ends.Covered Entities are required to be in compliance with the requirements of 23 NYCRR 500.11.
The Department has extended the initial period for making the filing of the Notice of Exemption required by 23 NYCRR 500.19(e) until October 30, 2017. Covered Entities that have determined that they qualify for a limited exemption under 23 NYCRR 500.19(a)-(d) before October 1, 2017, are now required to file a Notice of Exemption on or prior to this date.
The Department reminds Covered Entities that Notices of Exemption should be filed electronically via the DFS Web Portal (accessible by clicking the orange box marked “Cybersecurity Filing” at the top of this page). You will first be prompted to create an account and log in to the DFS Web Portal, then directed to the filing interface. That website also contains a copy of the Cybersecurity Regulation and a set of Frequently Asked Questions.
Jeffrey Taft, a partner in the law firm Mayer Brown’s financial services regulatory and enforcement group, says that many covered firms have been stressed out by the now-implemented attestation requirement. His advice is to leverage an in-house hierarchy that probably already exists by imposing a network of sub-certifications. This is especially important when directors and senior management may not have suitably extensive backgrounds in information technology.
“There may be a lot of areas where they have overall responsibility, but not day-to-day responsibility,” Taft says. “They are relying on those who work for them, on a daily basis, to keep them informed and make sure the trains are running on time.”
Taft explained the process. “In some companies, they have come up with a process where the people beneath them are certifying they are compliant with the rule, in terms of what they are responsible for, and those sub-certifications form the basis by which the ultimate certifier makes their attestations to the DFS,” he said. “That’s a good model. It creates a level of accountability throughout the system. If the certification turns out to be problematic, the person who made it can go back and explain that they were relying on a very detailed chain of command. This also tells the DFS that you were taking these requirements very seriously, had a system in place, and assigned an individual level of accountability in the organization regarding cyber-security.”
Taft compares this approach to how many public firms approach Sarbanes-Oxley requirements and demand for director attestation.
Mark Krotoski, a partner and co-leader of Morgan Lewis’s privacy & cyber-security practice, previously served as national coordinator for the Computer Hacking and Intellectual Property Program in the Department of Justice’s Criminal Division. In his view, much of the compliance requirements involved the evolution and application of existing protocols.
“This has certainly been a transitional, phased-in process, he says. “In many instances my clients already have some of the features that are called out by this regulation. Additionally, they have been adapting their prior policies and programs to comply with some of the specific requirements that the Department imposed. They may already have many of these features, but now they need to re-designate and reclassify them in order to be in compliance.”
As firms do an in-house assessment to see if they have the in-house capabilities required by the new rules, many are finding they need to bring in outside vendor on both the technical and legal sides of the task before them, Taft says, stressing that cyber-security “has to be tailored to particular circumstances” of a covered entity.
What companies need to do is assess how are they going to deal with the costs.
“The firms covered by this regulation include financial institutions, financial service organizations, and insurance companies. Many that fall under those three categories already have some form of program in place,” Taft says. “When it comes to cost, what some companies are struggling with is the cost of compliance versus the cost of security. In some instances, they already had strong programs; now they need to ensure that they are in compliance with these new standards.”
The attestation demand, already causing worry at many firms, will only grow more complex. Upcoming deadlines are going to include requirements for penetration testing, risk assessments, multi-factor authentication, and training and monitoring.
One important question still awaits an answer: What will enforcement look like?
“This is an area of overlapping—and in some instances conflicting—requirements,” Taft says. Nearly all states and most federal agencies already have cyber-security and breach notifications in place. Others, including the Securities and Exchange Commission, are expected to deliver new requirements very soon. For some financial firms, there are also international requirements piled on.
“Whenever you have an enforcer at the state or federal level, you are trying to read the tea leaves of what their first enforcement actions will be and what they mean,” Taft says. His advice, whether they come out swinging or not, is to make sure your firm can attest to a “Reasonable good faith effort.”
One specific section that separates New York’s rules from other cyber-security regulations is that it takes advanced authentication to the next level.
Section 500.12 (Multi-Factor Authentication) recommends authentication procedures that rely on anomaly detection and/or changes in normal use patterns.
Istvan Molnar, compliance specialist at Balabit, a security firm specializing in IT security systems, says some of the most effective anomaly detection strategies that organizations can implement in order to be in compliance include using behavioral biometrics.
“Nowadays, we don’t define biometric characteristics as narrowly as we did a few years back,” he says “Apart from the usual fingerprint and retina scans, there are also so-called, digital biometric identifiers. These are regularly occurring patterns and constantly performed actions that can reflect an individual’s unique behavior. These characteristics are bound to an individual, impossible to mimic or reproduce yet easily distinguish one user from another.”
Anomaly detection based on digital behavior, also known as User Behavior Analytics, is becoming increasingly important, he says, breaking the process into three stages.
First: Generate a custom profile for each user based on collected, digital biometric identifiers. This will act as a baseline to identify a specific user.
Second: Use “continuous authentication” to continually compare the baseline profile to actual behavior during the whole period of time the user is operating within the security perimeter.
Third: When the difference between the baseline and the current behavior exceeds an established tolerance threshold and risk scoring, assess the type of data accessed and provide evidence of illicit, insider activity to security teams to judge the criticality of the event.