Monday, June 26, 2017

A look at the NYDFS requirements for Cybersecurity

Hopefully most people have heard of the new NY State regulations on cybersecurity, usually referred to as the NYDFS regs, or "23 NYCRR 500" or the like.

These went into effect on March 1, 2017 and you can read the regs HERE.  Its just 15 pages.

Now, there are a lot of articles out there on the regs.  So not so much interested in going over in deal what the regs say, but instead to comment on what it here.


Overall the regs are interesting.  The focus is on organizations who are in the financial and insurance fields in NY, and in particular in protecting the "non public" information of those entities, basically company info (financials), as well as PHI and PII.

The bulk of the regs are in 15 sections that are on having a cybersecurity program and elements of it.  Basically that the organization has put in place a Information Security Management System (ISMS) as used in ISO 27001 or an infosec/cybersecurity program of people, processes, and technology.

While the regs went into affect in March of 2017, there are 3 deadlines for orgs to met certain of the sections over the next 2 years.  There are also excepts for small orgs and other groups.

So my comments, mainly about some of the 15 sections.

Section 2 & 3 are pretty basic.  Having a Cybersecurity Program and having policies in place.  Again, the focus is protecting that non-public info, having a process to handle any incidents, and getting things back into operation.  Basically Incident Response and recovery/resilience.

Section 4 is about having a CISO.  Interestingly, the CISO is expected to do an annual report to the orgs' Board regarding the cybersecurity program.  The regs to allow orgs to have a CISO provided by a third party.  So if a third party is doing their IT services (MSP or the like), they can provide CISO services (say a virtual or fractional CISO).

Section 5 is about Pentesting & Vulnerability Assessments.  They do expect orgs to do pentesting annually, which is nice.

Section 5 is about Audit Trails.  Its important that orgs know what is going on in their environment.  Who is accessing what, etc.  And this is called out in the regs.

Section 6-9 are pretty straight forward.

Section 10 is about Cybersecurity Personnel.  Basically there is the expectation that the org gets qualified people in their program.  Of course, no idea what "qualified" means, which is good or bad.  There is also verbiage that the org needs to be sure these personnel get updates and training to help them continue to do their job and maintain their knowledge.  This is nice, as too many groups don't seem to want to invest in training and the like for their people.

Section 11 deals with third parties.  This is important as we've seen that too often third parties are often a vector of breaches.  Too many groups are not looking at third party security.  But thankfully some are, but too often its just the "big guys".

Section 12 deals with multi-factor authentication.  I see this being used more and more, so not unexpected.

Section 13 deals with data retention.  Basically making sure that when disposing of data no longer needed or required, it be done securely.  No surprise here.

Section 14 deals with Training & Monitoring.  You basic security awareness training, as well as monitoring the activities of users.

Section 15 is about encryption of data.

Section 16 is about having an Incident Response Plan.  Vital to dealing with any incident or event that occurs.  Again, for any knowledgeable about IR, nothing here is surprising.

As noted, there are deadlines for when these different sections are due.  There are also requirements for annual reporting to the Supervisor as well as exceptions for certain orgs.

It will be interesting to see how this impacts the organizations in New York, as well as if other states may be adapting similar regulations.  But this is only focused on financial and insurance companies.  What about organizations in other industries?  I guess they figure healthcare and related ones are covered already by HIPAA.  Tho I would have thought the financial ones would have other regs in place to not need these.

Others have further thoughts?


No comments:

Post a Comment