The New York State Cybersecurity Regulation
Certain entities that operate in the State of New York must comply with New York State’s latest cybersecurity regulation to ensure the safety and soundness of the entity and its customers. If you’re an entity operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law (“covered entity”), what do you need to do to be compliant? Let’s take a look.
The new regulation is definitely a step in the right direction. Where regulations, too often, aren’t very precise on what the compliance requirements are, this one is a welcome change and does a good job at “spelling it out.”
If you are a covered entity, it’s possible that you’re already doing some of these things as part of compliance requirements of other regulations such as GLBA, FACTA, BSA, SOX, and so on. However, remember that this is a new regulation with a new set of regulators and a new set of eyes. The way the regulation has been drafted, it wouldn’t be surprising if its regulators approached their audits of your entity differently. It would be in order to review your existing measures again, specifically with the new regulation as the core focus and, of course, implement the requirements that you don’t already have in place.
Most importantly, remember that compliance and security are different things.
An Overview of the Requirements
Step 1: Assess Cybersecurity Risk (500.09)
The regulation requires covered entities to complete a risk assessment to inform the design of a cybersecurity program. The assessment must take into account the organization’s business operations, information systems and nonpublic information. It must evaluate and categorize risks as well as identify how risks will be mitigated and how a cybersecurity program will address such risks.
Step 2: Develop Cybersecurity Foundation
The regulation aims to build cybersecurity from the ground-up.
Cybersecurity Program (500.02)
- The program must be based on the covered entity’s risk assessment and present the covered entity’s stance toward information security, particularly how it will protect information systems and nonpublic information stored on these systems.
Cybersecurity Policies (500.03)
- Required information security policies include, but are not limited to, information security, data governance, asset inventory, access controls, business continuity and disaster recovery, systems operations, systems and network security and monitoring, physical security, customer data privacy, third party service provider management, risk assessment, and incident response.
Chief Information Security Officer (500.04)
- Covered entities must designate a Chief Information Security Officer (CISO) who will oversee, implement, and enforce the cybersecurity program and policies.
Step 3: Incorporate Technical Measures
The regulation is very specific when etching out the details of what it requires covered entities to do in terms of technical cybersecurity measures.
Penetration Testing and Vulnerability Assessments (500.05)
- The covered entity must have continuous monitoring mechanisms or complete annual penetration testing, bi-annual vulnerability assessments (scans).
Audit Trail (500.06)
- The covered entity must have audit trails and maintain certain records.
Access Privileges (500.07)
- The covered entity must implement and regularly review access privileges to information systems that provide access to nonpublic information.
Application Security (500.08)
- If the covered entity develops applications, it must develop and regularly review secure development practices.
Multi-Factor Authentication (500.12)
- Multi-factor authentication is mandatory for any individual accessing the covered entity’s internal networks from an external network (unless CISO provides written exception).
Limitations on Data Retention (500.13)
- The covered entity must have policies and procedures addressing the secure disposal and destruction of nonpublic information on a periodic basis.
Encryption of Nonpublic Information (500.15)
- The covered entity must utilize encryption to protect nonpublic information unless this is not feasible.
Step 4: Develop Organizational Measures
The regulation is very specific of what it requires the covered entity to do in terms of organizational measures.
Cybersecurity Personnel and Intelligence (500.10)
- The covered entity must utilize qualified cybersecurity personnel, whether in-house or outsourced, to adequately manage the organization’s cybersecurity risks and oversee the performance of the core cybersecurity function.
Third Party Service Provider Security Policy (500.11)
- The covered entity must implement written policies and procedures specifically directed toward securing the nonpublic information that is stored, processed, or transmitted by a third party service provider.
Training and Monitoring (500.14)
- The covered entity must implement risk-based policies, procedures, and controls to monitor authorized user activities as well as detect unauthorized access, use, and/or tampering. The covered entity must also provide cybersecurity awareness training on a regular basis.
Step 5: Prepare for a Cyberattack
The regulation outlines requirements for potential cybersecurity incidents.
Incident Response Plan (500.16)
- The covered entity must have a written incident response plan.
Incident/Breach Reporting (500.17)
- Covered entities are required to notify the New York State Department of Financial Services superintendent no later than 72 hours from the point at which it is determined that certain cybersecurity events have occurred. Additionally, covered entities must submit an annual written statement by February 15 to the superintendent covering the prior calendar year.
There are some exceptions
Some entities are exempt from a portion or all of the new regulations. If your entity is exempt, you must still file a Notice of Exemption within 30 days from determining your entity is not a covered entity.
Exempt from 500.04, 500.05, 500.06, 500.08, 500.10, 500.12, 500.14, 500.15
- Fewer than 10 employees, including any independent contractors of the covered entity or affiliates located in New York or responsible for business of the covered entity OR
- Less than $5 million in gross annual revenue in each of the last three fiscal years from New York business operations of the covered entity and its affiliates OR
- Less than $10 million in year-end total assets, calculated in accordance with generally accepted accounting principles, including assets of all Affiliates.
Exempt from all sections
- An employee, agent, representative or designee of a covered entity, who is itself a covered entity, is exempt from this Part and need not develop its own cybersecurity program to the extent that the employee, agent, representative or designee is covered by the cybersecurity program of the covered entity.
- Persons subject to Insurance Law section 1110; Persons subject to Insurance Law section 5904; and any accredited reinsurer or certified reinsurer that has been accredited or certified pursuant to 11 NYCRR 125.
Exempt from 500.02, 500.03, 500.04, 500.05, 500.06, 500.07, 500.08, 500.10, 500.12, 500.14, 500.15, and 500.16
- A covered entity that does not directly or indirectly operate, maintain, utilize or control any Information Systems, and that does not, and is not required to, directly or indirectly control, own, access, generate, receive or possess nonpublic information.
Turn your employees into a human firewall with our innovative Security Awareness Training.
Our e-learning modules take the boring out of security training.
Get a curated briefing of the week's biggest cyber news every Friday.
Intelligence and Insights