In 2017, the New York State Department of Financial Services (NYDFS) launched GDPR-like cybersecurity regulations for its massive financial industry. Unusual at the state level, this new regulation includes strict requirements for breach reporting and limiting data retention.
Like the GDPR, the New York regulation has rules for basic principles of data security, risk assessments, documentation of security policies, and designating a chief information security officer (CISO) to be responsible for the program.
Unlike the GDPR, the regulation has very specific data security control, including annual pen testing and vulnerability scans!
The point of these rules, as with the GDPR, is to protect sensitive nonpublic information, which is essentially consumer personally identifiable information or PII that can used use to identify an individual.
NYDFS Cybersecurity Regulation Defined
The NYDFS Cybersecurity Regulation (23 NYCRR 500) is “designed to promote the protection of customer information as well as the information technology systems of regulated entities”. This regulation requires each company to conduct a risk assessment and then implement a program with security controls for detecting and responding to cyber events.
Who Does NYDFS Cybersecurity Law Apply to?
The NYDFS has supervisory power over banks, insurance companies, and other financial service companies. More specifically, they supervise the following covered entities:
- Credit Unions
- Health Insurers
- Investment Companies
- Licensed Lenders
- Life Insurance Companies
- Mortgage Brokers
- Savings and Loans Associations
- Private Bankers
- Offices of Foreign Banks
- Commercial Banks
In short: any institution that needs a license from the NYDFS is covered by this regulation. A more extensive list can be found here.
There are some exemptions for companies that fall under the following categories:
- Fewer than 10 employees, including any independent contractors, of the Covered Entity or its Affiliates located in New York or responsible for business of the Covered Entity, or
- Less than $5,000,000 in gross annual revenue in each of the last three fiscal years from New York business operations of the Covered Entity and its Affiliates, or
- Less than $10,000,000 in year-end total assets, calculated in accordance with generally accepted accounting principles, including assets of all Affiliates, or
- There’s no storing or processing of nonpublic information.
How Does The NYDFS Cybersecurity Regulation Work?
The NYDFS Cybersecurity Regulation works by enforcing what are really common sense IT security practices. Financial companies in New York that are already rely on existing standards, say PCI DSS or SANS CSC 20, should have little problem meeting the New York regulation.
In short, NYDFS is asking organization to assess their security risks, and then develop policies for data governance, classification, access controls, system monitoring, and incident response and recovery. The regulation calls for companies to implement, at a minimum, specific controls in these areas (see the next section) that are typically part of compliance standards.
The big difference of course is that New York State regulators at the Depart of Financial Services are enforcing these rules, and that not complying with the regulation becomes a legal matter. They are even requiring covered entities to designate a CISO who will annually sign off on the organization’s compliance.
What Are The NYDFS Regulation Requirements?
Covered entities will have to implement the following:
- Risk Assessments – Conducted periodically and will be used to assess “confidentiality, integrity, security and availability of the IT infrastructure and PII. (Section 500.09)
- Audit Trail – Designed to record and respond to cybersecurity events. The records will have to be maintained for five years. (Section 500.06)
- Limitations on Data Retention – Develop policies and procedures for the “secure disposal” of PII that is “no longer necessary for business operations or for other legitimate business purposes” (Section 500.13)
- Access Privileges – Limit access privileges to PII and periodically review those privileges. (Section 500.07)
- Incident Response Plan – Develop a written plan to document internal processes for responding to cybersecurity events, including communication plans, roles and responsibilities, and necessary remediations of controls as needed. (Section 500.16)
- Notices to Superintendent – Notifications to the NYFS within at most 72-hours after a “material” cybersecurity event has been detected. (Section 500.17)
NYDFS Cybersecurity FAQs
- Do you have to report all cybersecurity events within 72-hours to NYDFS?
No. You only have to report events that have a “reasonable likelihood of materially harming any material part” of the company’s IT infrastructure. For example, malware that infects the digital console on the bank’s espresso machine is not notification worthy. But a key logger that lands in a bank’s foreign exchange area and is scooping up user passwords is very worthy.
- How frequently do you have to conduct risk assessments?
Covered entities are supposed to conduct “periodic” assessments. However, keep in mind the CISOs will have to certify annually (see below) that their organization is in compliance. You should expect to do assessments at a minimum once per year.
- How much documentation is required beyond developing security policies?
There’s no escaping the fact that reporting requirements are significant, and CISOs will be busy just handling this new regulation. In addition to reporting material cyber incidents to NYDFS, the CISOs will have to report annually to the board or governing body the current cybersecurity state of the organization, including material cybersecurity risks, effectiveness of controls, and material cybersecurity events. For any weaknesses that are discovered as part of the assessment, CISOs will need to document the remediation efforts that were undertaken. Finally, the CISO will also have to annually certify to the NYDFS that their organization is in compliance.
- Do you have to report all cybersecurity events within 72-hours to NYDFS?
NYDFS Cybersecurity Regulation Tips for Compliance
There are few important points to keep in mind about the NYDFS regulations:
- NYSDFS rules on breach reporting cover a far broader type of cyber event than any other state. Not only does the organization have to report stolen information, but also any attempt to gain access or to disrupt or misuse system. This includes denial-of-service (DoS), ransomware, and any kind of post-exploitation where system tools are leveraged and misused. Look for monitoring systems that have the capability to detect unusual access to sensitive data.
- There are significant training requirement for cyber staff. Companies will have to provide corporate training to “address relevant cybersecurity risks”. And cyber staff are not off the hook either: they are required to take steps to keep professionally current with cybersecurity trends. Financial companies in New York will likely need to up their training budgets to meet these rules.
- Data classification is a critical first step in performing a risk assessment. A security team will need to determine how much PII is in the organization, where it is located, and who has access to it in order to evaluate potential risk. This information is then used to tune access rights to this sensitive data so that only those who really need data as part of their role have access — and no one else.
How Varonis Can Help
|Section 500.02 Cybersecurity Program.||Varonis detects insider threats and cyberattacks by analyzing data, account activity, and user behavior; prevents and limits disaster by locking down sensitive and stale data; and efficiently sustains a secure state with automation.|
|Section 500.06 Audit Trail.||Varonis gives you a single unified platform to manage risk and protect your most important assets, along with built-in reports and a detailed, searchable audit trail of data access.
With a unified audit trail, admins or security analysts are only a few clicks away from knowing who’s been opening, creating, deleting, or modifying important files, sites, Azure Active Directory objects, emails, and more.
|Section 500.07 Access Privileges||DatAdvantage maps who can access data and who does access data across file and email systems, shows where users have too much access, and then safely automates changes to access control lists and security groups.
DataPrivilege gives business users the power to review and manage permissions, groups, and access certification, while automatically enforcing business rules.
The Automation Engine discovers undetected security gaps and automatically repairs them: fixing hidden security vulnerabilities like inconsistent ACLs and global access to sensitive data.
|Section 500.09 Risk Assessment.||Varonis Risk Assessments provide a comprehensive report that highlights at-risk sensitive data, flags access control issues, and quantifies risk. The risk assessment summarizes key findings, exposes data vulnerabilities, provides a detailed explanation of each finding, and includes prioritized remediation recommendations.|
|Section 500.13 Limitations on Data Retention.||Data Transport Engine automatically moves, archives, quarantines, or deletes data based on content type, age, access activity, and more. Migrate data cross-domain or cross-platform, all while keeping permissions intact and even making them better.
Quarantine sensitive and regulated content, discover data to collect for legal hold, identify data to archive and delete, and optimize your existing platforms.
|Section 500.14 Training and Monitoring.||Varonis continually monitors and alerts on your core data and systems.
Detect unusual file and email activity, suspicious user behavior, and trigger alerts cross-platform to protect your data before it’s too late. Automatic response triggers can stop ransomware in its tracks, and mitigate the impact of compromised accounts and potential data breaches.
Visualize security threats with an intuitive dashboard, investigate security incidents – even track alerts and assign them to team members for closure.
|Section 500.16 Incident Response Plan.|
|Section 500.17 Notices to Superintendent.|
NYDFS dictates that risk assessments are not just a good idea, but (at least in New York State) are required for financial companies. Get started with a free risk assessment: we’ll identify PII, flag excessive permissions, and help you prioritize at-risk areas – and take the first steps towards meeting NYDFS compliance.