New York State Cybersecurity Regulations for Financial Institutions are Tough, Critical, and Reach Beyond State Borders

Given today’s global cyber threatscape, the increased amount of targeted attacks against the financial sector — and New York City’s position as the financial capital of the U.S. (though some would argue the world) — it’s no surprise that new cybersecurity regulations regarding financial organizations that reside or conduct business in New York state may have implications that reach far beyond the Empire State.

The New York State Department of Financial Services (NYDFS) Cybersecurity Requirements for Financial Services Companies, went into effect on March 1, 2017.  They are a set of rules that apply directly to those businesses that are supervised by the NYDFS. This includes any entity operating under the jurisdiction of New York banking, insurance and financial services law and headquartered within the state. However, these regulatory rules also apply to third-party service providers and application vendors that may have their headquarters elsewhere.

The statements most relevant to jurisdiction are found in Part 500 – applying to any entity “operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.” This encompasses a broad swath of organizations that can include investment firms, banks, lenders, insurers, holding companies — even charities and service contractors.  If your organization falls within any of these categories, you should be prepared to comply. Although some small businesses may be exempt from certain parts of the law, tightening up security and improving your cybersecurity posture should be a best practice for any organization, given the current cyber threat environment.

The NYDFS rules offer detailed guidelines for how businesses under its mandate should be handling cybersecurity. And even though these rules currently apply only to financial entities with some ties to New York State, there’s speculation that other states will follow suit as regulatory agencies increase their efforts to stem the rising tide of successful cyberattacks against financial institutions.

As you delve into the regulations for your organization, remember that most risks are not black and white and all aspects of the organization need to be accounted for when developing a comprehensive cybersecurity strategy.  There are varying degrees of stakeholder and accountable executive buy-in required to develop a successful cybersecurity program in any industry.  When reviewing the guidelines, I encourage you to: consider what resources your organization currently has available to structure yourself to comply with the regulations; develop a way to make non-technical stakeholders understand the totality of the threat and why these regulations are necessary; determine a way to create a concrete and relatively timeless cybersecurity program that will not require sweeping changes upon subsequent annual reviews; and finally, identify a way to incorporate the regulations so they appropriately cover not only the domestic NY state footprint, but also the larger global corporate footprint for national and international organizations.

New NYDFS Cybersecurity Requirements

The following is a summary of some of the regulations with which “Covered Entities” must comply by August 28, 2017, unless otherwise stated below. These regulations come with various deadlines. Please confirm the specific dates for compliance independently and ensure that they have not changed over time. Failure to comply can result in steep fines or civil penalties.

Cybersecurity program: You must show evidence (documentation) that you have a cybersecurity program in place and that it is sufficient to protect the confidentiality, integrity and availability of your information systems. Your program must be informed by a “Risk Assessment,” which is also mandated by these regulations. The documentation must be made available on request to prove compliance.

Cybersecurity Policy and Incident Response Plan: You must write and maintain both a cybersecurity policy that addresses the areas specified in the Risk Assessment and a detailed incident response plan. The incident response plan must stipulate how you will respond to and recover from any “Cybersecurity Event” that materially affects your information systems or any aspect of your business or operations.

Access Privileges: This is designed to encourage entities to tighten up their policies around who has access to rights and permissions. It requires that organizations establish policies for granting and revoking access and periodically reviewing access to ensure compliance.

Chief Information Security Officer (CISO): You must designate a qualified individual as CISO, who will oversee and implement your cybersecurity program. The CISO must issue an annual written report addressing cybersecurity issues and that report must be reviewed internally. From CrowdStrike’s perspective, this requirement should really state CISO or CISO-equivalent, as titles are often inconsistent across organizations. Compliance deadline: March 1, 2018

Third-Party Service Personnel Policy and Training: These rules are designed to tighten security around third-party entities. Third-party employees have served as the initial access points in several high-profile breaches, and weaknesses in third-party information systems have been exploited by attackers in scores more. The new rules require that a Covered Entity not only establish policies that ensure due diligence and contractual protections for third-party engagements, but also provide established minimum security practices to which third parties must adhere. Compliance deadline: Sept. 1, 2018

Penetration Testing and Validity Assessments: This is another requirement based on your Risk Assessment, validating that you monitor and test the effectiveness of your cybersecurity program. You must either ensure continuous monitoring or establish periodic pen testing and vulnerability assessments. CrowdStrike recommends that you do both. Compliance deadline: March 1, 2018

Encryption of Non-Public Information: This rule requires that controls based on your Risk Assessment, including encryption, must be put in place to protect non-public data  —  both in transit over external networks and at rest. Those controls must be approved by your CISO. Compliance deadline: March 1, 2018

Risk Assessment: This is not a required element until March 1, 2018, but much of the compliance required by the end of August 2017 is based on a Risk Assessment report being available. Covered Entities would be wise to conduct at least a limited Risk Assessment prior to ensuring that other compliance rules are addressed.

These are some, but not all, of the rules stipulated in this legislation and a financial institution should be sure to first establish whether it —  or any of its products, services or locations — may be one of the Covered Entities subject to the regulation.

Prepare Your Organization Now

If this seems like a monumental undertaking — you’re correct. So where do you begin? The good news is that CrowdStrike offers a robust range of products and services that can not only assist you in complying with many of the requirements in these new regulations, but also improve your security posture beyond the letter of the law.

CrowdStrike can assist in fulfilling compliance with the NYDFS Cybersecurity Regulations in the following areas:

Cybersecurity Program: CrowdStrike Falcon® is a cloud-native platform offering comprehensive cybersecurity that can help you meet the requirements of an effective Cybersecurity Program. In addition, Falcon is the only platform that both delivers and unifies IT Hygiene, next-generation antivirus, endpoint detection and response (EDR), managed threat hunting, and threat intelligence — all delivered via a single, lightweight agent. Learn more.

The CrowdStrike Services team is also able to evaluate and assist organizations in the development of a Cybersecurity Program. This is done through several combinations of Cybersecurity Maturity Assessments, Cybersecurity Documentation Development, and Risk Assessments. Some of these items are described in more detail below.

Cybersecurity Policy and Incident Response (IR) Plan: In addition to the extensive security offered by the Falcon platform, CrowdStrike Services provides both proactive services and incident response that can ensure tighter security and assist with compliance.  CrowdStrike proactive services help you anticipate threats, prepare your network and improve your team’s ability to stop breaches. The CrowdStrike IR team accelerates the speed of remediation after an incident, so you can resume operations faster by identifying how the attacker accessed your environment, immediately mitigating this access and tracking his actions to prevent future access. Learn more.

Access Privileges: The CrowdStrike Falcon® platform offers complete, 5-second visibility across all endpoints in your organization and granular visibility over who has access so you can ensure your policies are enforced. Learn more

Penetration Testing and Vulnerability Assessments: CrowdStrike Services experts offer Red Team Services that test your cybersecurity capabilities against the actual tools, tactics and procedures (TTPs) used by the adversaries targeting your industry. The full-service offerings provide detailed vulnerability assessments accompanying reports to help fulfill regulatory compliance requirements. Learn more

Cybersecurity Assessments: CrowdStrike Services experts perform several types of assessments that help organizations understand their risks and develop plans of action to address the areas of greatest concern. These include risk assessments that examine the likelihood and impact of potential attacks on different assets, as well as maturity assessments that help ensure an organization has the appropriate people, processes and technologies in place to address the level of risk they face.

Leverage Proven Expertise to Empower Your Organization

While compliance with these new cybersecurity regulations is the end goal, all organizations should be preparing to stop the next attack on a regular, continual basis. Leveraging the expertise and technical advantages of CrowdStrike Services and the Falcon platform will empower your organization to do just that: The CrowdStrike team will help you identify any gaps in your people, processes and technology, so you can take the necessary steps to address all identified issues. CrowdStrike Services is here to help your organization proactively improve its security resiliency and posture you for continued success. Learn more.

Related Content