Frederick W. Scholl
The New York State Cybersecurity Requirements (23 NYCRR 500) for financial services companies went into effect on March 6, 2017. The 43 requirements in this regulation may seem daunting, especially considering the numerous other state and federal cybersecurity regulations that are applicable to covered entities. Rather than running out to implement them before the August 28, 2017 deadline, a better approach is to build out a security framework, through which 23 NYCRR 500 and other regulations can be simultaneously satisfied and tracked. Use of a security framework has the added benefit that you will be following best security practice to protect your organization’s information and customers. The NIST Cybersecurity Framework (CSF) is just such a framework for this purpose (Draft Version 1.1 is available on the NIST website here).
The new cybersecurity regulation is a requirement for all but the smallest financial institutions in New York State. These include: banks, insurance companies, agents and brokers, trusts, mortgage brokers, private banks and 20 other business categories listed on the DFS website. Many firms may not be familiar with cybersecurity regulations, although headlines constantly report on security breaches. According to the NYS Attorney General, data breaches in New York State were up 40% in 2016; hence the new law.
The most important thing to note about 23 NYCRR 500 is that it is based on the NIST CSF. NIST CSF is built around the five functions of: Identify, Protect, Detect, Respond and Recover. This table shows the five security functions called out by the CSF and the principle functions called out by 23 NYCRR 500.
You can therefore use the CSF as a basis for meeting the new regulations. The big benefit of this approach is that you can then use CSF to support other compliance regulations you may need to meet. The diagram below illustrates this. By following the CSF security framework, you will be able to effectively report on a range of compliance requirements. If you accept credit cards, you will need to be PCI DSS 3.2 compliant. If you are a NYS registered HMO, then you also need to be HIPAA compliant.
There are some differences to be aware of between the individual compliance regulations and the CSF. For example, let’s compare the 23 NYCRR 500 and NIST CSF. Generally, CSF is broader in scope. It has 23 categories of security activities and 98 subcategories. 23 NYCRR 500 has 43 activities. On the other hand, some of the state regulations are spelled out in detail, whereas the CSF leaves the details to the “implementer”. You need to be aware of these details to meet the regulation’s requirements. For example:
- NYS requires designation of a CISO (Chief Information Security Officer) role, either internal or outsourced. CSF requires that senior executives and all staff understand their roles in security, but does not require a CISO designation.
- NYS requires organizations adopt a cyber security program. NIST CSF is voluntary.
- NYS requires the CISO provide an annual written report to the board. CSF requires only that risk management processes are established.
- NYS requires annual pen testing. CSF says asset vulnerabilities must be identified and documented.
- NYS requires risk based vulnerability testing every six months. CSF requires a vulnerability management plan.
- NYS requires saving cybersecurity related records for five years. CSF requires proper data lifecycle management and following legal and regulatory requirements.
- NYS requires regular review of application security programs. CSF recommends risk management processes be established and a systems development lifecycle be established.
- 500.17 requires annual certification and notation of remediation efforts, submitted to the Superintendent of Financial Services. These types of details are regulation specific and not in the CSF.
A detailed crosswalk between CSF and 23 NYCRR 500 is attached to the end of this post.
A big plus in the CSF is that it recognizes maturity levels for security. An effective security program cannot be built in a few months. It should be planned around attainment of defined maturity levels. NIST recognizes four such levels, or tiers in the NIST jargon. 23 NYCRR 500 also implicitly recognizes a maturity path for organizations. This is described in Section 500.22, Transitional Periods. A number of the requirements are extended out two years. This is actually a good idea, because it gives businesses time to plan a cost effective, repeatable method for meeting the regulation.
All in all, 23 NYCRR 500 appears to be an effective regulation: only 14 pages long; based on the latest cybersecurity thinking (NIST CSF); and implementable in stages.
CROSSWALK BETWEEN CSF 1.1 AND 23 NYCRR 500