A major data breach hit the news in September 2016, affecting around 500 million Yahoo users. A few months later, the company revealed that a shocking one billion user accounts were hacked in a different attack that occurred in 2013. This news highlighted one thing: it took Yahoo two years – or three in the case of the 2013 attack – to tell their users that their accounts were hacked.
Yahoo’s delayed disclosure isn’t an isolated incident. MySpace, for instance, also revealed in 2016 that it had suffered a data breach in 2013. While this sort of delayed disclosure is getting more attention, these breaches could have been even more disastrous if the attacks targeted financial institutions. Just imagine hackers having access to your personally identifiable information for two to four years before knowing about it. Think about all the things they could do in that time, without you having an inkling that something’s wrong.
Enter the New York Department of Financial Services Cybersecurity Regulation
With the NYDFS Cybersecurity Regulation, such a scenario and other worst-case data breach situations, will not happen to your users. By now, you should have the rules set forth by the New York Department of Financial Services implemented at your organization. The deadline for compliance with the final phase of the NYDFS Cybersecurity Regulation is March 1, 2019, so all firms covered by these regulations should already be in full compliance.
What is the NYDFS Cybersecurity Regulation?
The NYDFS Cybersecurity Regulation is a set of rules that require financial institutions to have new cybersecurity measures in place. Some of the institutions that are covered by the rules are banks, insurance firms, credit unions, investment companies, savings and loans associations, private bankers, foreign banks, and mortgage firms.
Covered institutions are required to have a well thought out and detailed cybersecurity plan, as well as a cybersecurity policy in place. The Regulation also implements reporting requirements on a periodic basis.
At the time when it first came into effect, the DFS estimated that the new rules would affect around 1,900 banks and financial institutions, which altogether had at least $2.9 trillion in assets. It also affected close to 1,700 insurance companies that have assets of more than $4.2 trillion.
Why is the NYDFS Cybersecurity Regulation Needed
Why are the NYDFS mandates needed? On a general level, the NYFDS was set up to fight against cyberattacks that have increased in the years leading up to the Regulation’s introduction. However, the most common attacks were related to user credentials.
While some say the current regulations are a watered-down version of the proposed laws, the NYDFS Cybersecurity Regulation is still able to protect consumers. For one, with banks and other financial institutions being forced to think about security, they are more aware of the risk, as well as how to detect an attack. They’re also better prepared with a clear plan of action to reduce the risk of data breaches.
All of these requirements ultimately mean that customers will be less likely to have their data and information stolen.
The NYDFS Cybersecurity Program
Every company covered by the new law should have a program that will more or less comply with the NIST Cybersecurity Framework. This means that all programs should be able to:
- Identify, or be able to understand cybersecurity risk to assets, data, capabilities, and systems.
- Protect, or be able to fight these threats.
- Detect, or being able to pinpoint when these threats occur.
- Respond, or to take mitigating actions when these events are detected.
- Recover, or be able to continue doing business, restore services, and other capabilities after the event occurs.
These plans should also be able to protect non-public information.
What Does the NYDFS Cybersecurity Regulation Entail?
Not much – that is if your organization is currently in compliance with other existing standards such as SANS CSC 20 or PCI DSS. The framework is asking covered organizations to assess their risks and then make sure their policies for data governance, access controls, incident response, system monitoring, and classification are in place and effective.
However, if you do not comply, there are legal repercussions.
Best Practices for NYDFS Cybersecurity Regulation Compliance
According to Digital Guardian, some of the best practices companies should implement to ensure compliance include:
- Finding out if your organization is covered by the regulation or not. There are currently several exemptions. If you are exempted, you will need to tell the NYDFS within 30 days of the fiscal year’s end. To know if you are covered, you can check the NYDFS website.
- If you are covered by the NYFDS regulations, then you should have a compliance team in place. You should also have a chief information security officer (CISO) in position by now. The CISO will be in-charge of all compliance matters.
- You should have a clear understanding of your risk profile. You will need to submit a risk assessment.
Now that the Regulation is about to be fully implemented, covered financial institutions should be concerned with maintaining compliance. To ensure continued compliance, organizations should:
- Assess risks: Periodically assess risks regarding integrity, confidentiality, availability, and security of your IT infrastructure and personally identifiable information.
- Observe the limitations on data retention: You should have the right policies and procedures to dispose of personally identifiable information that is no longer needed for your business.
- Audit trail: You should have a log of all cybersecurity events, as well as how you responded. These records will be kept for five years.
- Access to personally identifiable information: You should be careful who you give access to personally identifiable information. These privileges should be reviewed periodically.
- Incident response plan: You should have a written plan on how to respond to a variety of cybersecurity incidents. The plan should outline how your organization will fight these threats and should include communication plans, the responsibilities of people involved in the response, and the remedies to be applied.
- Notice requirements: When a material breach occurs, you should be able to notify the NYFS no longer than 72 hours.
- CISOs must certify that their companies are compliant with the regulations every year. This means that you would need to conduct risk assessments at least once a year even when the law is silent on how often you should be doing risk evaluations.
- You will still need to report your progress. You need to inform the NYDFS if there are significant breaches, the state of your business, weaknesses, and other matters. The CISO would also need to certify your compliance with the regulatory body at least once a year.
- Get tools and monitoring systems that can detect any unusual activity involving ransomware, denial-of-service, and other threats.
- Make sure you do an excellent job when doing data classification. Knowing what data is most vulnerable – and potentially valuable to hackers – is an important step.
- Train your employees. Training is really important. You should also be able to trust your staff.
- You should use multi-factor authentication. Instead of allowing users to just utilize one set of user credentials, apply multi-factor authentication. MFA will make your logins more secure by adding another step to grant or deny access. For instance, once you enter your password, the system will send a text message to your smartphone. All you need to do is copy this code to get access.
- Use all the tools you can use. For example, there are software that will encrypt all data, both at rest and in transit. These tools will help you protect your consumers’ data from man-in-the-middle attacks. There are also data loss prevention software solutions that will help you ensure the integrity of your data. Furthermore, you can get an identity and access management software, as well as a logging platform to help with other compliance matters.
Benefits of NYDFS Cybersecurity Regulation
The new law took effect in March 2017, and it seeks to address the hacking and data breaches that happened in the past, which affected the financial industry. According to Digital Guardian, the regulations are tamerthan the rules you see on the proposals. For example, the proposed law required covered companies to encrypt all of their data, whether it was being transmitted or at rest. Financial services companies, however, said that would restrict them too much, so it was taken out in the final set of regulations.
There are companies exempt from the NYDFS Cybersecurity Regulation, such as companies with up to 10 employees and independent contractors. If you are exempt, you can still hire an outside firm to ensure compliance for you.
* * *
The New York Department of Financial Services Cybersecurity Regulation is not perfect. However, the main focus is to protect consumers while also making it easier for covered firms to comply. As such, existing standards were used and compromises were made.
What it did achieve, however, was to get firms talking about security, how to fight threats, how to detect it, and make sure that they report it. Apart from implementing security plans and remedies, companies are now talking about having somebody like the chief information security officer take charge. These programs also have adequate funding. More importantly, it is also forcing companies to do the right thing even if it is uncomfortable: inform their users if their data has been compromised.