nys dfs cybersecurity regulations
TRANSCRIPT
The New NYDFS Cybersecurity Regulations: What They
Require. What They Mean for Your Company and Your Vendor
Supply Chain
05/01/2023 1
Speaker Introductions NY DFS & Regulatory Environment Background Covered and Exempt Entities Top 5 Regulatory “Surprises” Cybersecurity Required Elements Security Best / Leading Practices Mapped to
Requirements Question and Answer
05/01/2023 2
Webinar Agenda
EXPERIENCE SUMMARY Jon co-founded eDelta Consulting, Inc. (“eDelta”) in 2000 with
former Ernst and Young, LLP alumni in order to provide a wide-range of Technology and Information Security services to Fortune 500 clients and medium-sized public and private companies. For more than a decade, Jon has been evaluating information systems and associated business processes in major industries, including financial services, retail and entertainment.
Jon has assisted the internal audit department of several Fortune 500 companies in developing and executing plans to mitigate technology and business risks. Jon has strong project management, organizational and technical skills. Jon is a frequent speaker on issues as diverse as Sarbanes Oxley, information security, disaster recovery, business continuity planning, corporate risk assessment, and Computer Assisted Audit Techniques (CAATs). He has an expert knowledge of technology challenges and their related regulatory and compliance impact on major corporations.
Prior to eDelta, Jon was a Manager in Ernst & Young's New York ISAAS Financial Services Group. As a manager at Ernst & Young, Jon managed various external Technology and Financial Audits for a diverse set of companys, mutual funds, and broker/dealers. Jon is Certified Public Accountant
Jon BoscoPartnereDelta Consulting, Inc. [email protected]: +646-205-9961
Speaker IntroductionsRich SantelesaEsq. [email protected]@blegalgroup.comDirect: +203-307-2665
EXPERIENCE SUMMARY Int'l Association of Privacy Professionals (IAPP) "Certified Information
Privacy Professional" IAPP Co-Chair of CT KnowledgeNet (1/1/2014 - 1/1/2016) Guest Lecturer at Sacred Heart University, in Masters Degree in
Cybersecurity Program American Bar Association, Section of Science & Tech Law, Chair of
Social Networking Committee; Member InfoSec and EDDE Committees New York State Bar Association - Intellectual Property Law Section –
Internet & Technology Law Committee Greater Bridgeport Bar Association - Intellectual Property &
Commercial Law Committees Former Local elected official – elected to two year legislative term
(unpaid) as Fairfield Representative Town Member (2009-2011) responsible for ordinances, oversight and approval of $251+ million budget; appointed to Legislative & Administration Committee; Former Fairfield Conservation Commissioners.
Certified mentor for small-businesses and startups via the CT branch of SCORE, a nationally recognized volunteer counseling organization affiliated with the SBA
Admitted in New York, District of Columbia and Connecticut (achieved 2nd highest scaled Multistate Bar Exam score of 390 examinees seated for Feb. 2008 Connecticut bar exam)
Created in 2011 when the NYS Insurance Department and NYS Banking Department were consolidated.
Supervises approximately 4,500 entities. Regulated entities include: state-chartered banks and trust
companies; insurance companies; insurance producers; insurance adjusters; bail bond agents; service contracts; life settlements; budget planners; charitable foundations; check cashers; credit unions; investment companies; licensed lenders; money transmitters; mortgage bankers; mortgage brokers; mortgage loan servicers; premium finance agencies; private bankers; safe deposit companies; sales finance companies; savings banks; and savings and loans. (http://www.dfs.ny.gov/about/whowesupervise.htm)
Headed by the Superintendent of Financial Services. First, Ben Lawsky, now Maria Vullo.
05/01/2023 4
New York State Dept of Financial Services
In 2013 the NYDFS began surveying banking organizations and then insurance companies.
Issued reports in 2014 and 2015 on cybersecurity in the insurance and banking industries:◦ Report on Cyber Security in the Banking Sector - May 2014◦ Report on Cyber Security in the Insurance Sector - February 2015◦ Update on Cyber Security in the Banking Sector: Third Party Servic
e Providers - April 2015
Letter sent from NYDFS on Nov 9, 2015 by then Acting Superintendent to 18 members of the Financial and Banking Information Infrastructure Committee heralding intent to issue cybersecurity requirements
05/01/2023 5
Short History of the Regs
Proposed Regs, announced: September 13, 2016◦ “Cybersecurity Requirements For Financial Services
Companies”(Part 500 of Title 23 of the Official Compilation of Codes, Rules, and Regulations of the State of New York)
Published in State Register: September 28, 2016 Public comment period ended on Nov. 14, 2016 Little to nothing on NYDFS website since… NYDFS Reg Materials Released
◦ Proposed 23 NYCRR 500 (PDF) ◦ Notice of Proposed Rulemaking (PDF)◦ Summary of the Rules (PDF)◦ Regulatory Impact Statement - SAPA (PDF)◦ Executive Order No. 17 (PDF)
05/01/2023 6
The Regs to date
“Covered Entities” - as defined by the Regs mean “any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the [NY] banking law, the [NY] insurance law or the [NY] financial services law.”◦ NYDFS regulated institutions can be found at
http://www.dfs.ny.gov/about/whowesupervise.htm CE’s include individuals, partnerships, and corporations operating
in the banking, insurance and other financial services industries within New York and regulated by the DFS. Includes state-chartered commercial banks and state-licensed branches and agencies of foreign banks.
Regs do not apply to local governments. Limited exemption to Regs
05/01/2023IAPP KnowledgeNet 7
Who is covered by the Regs?
Sec. 500.18(a) includes a limited exemption to the Regs for otherwise Covered Entities. If a CE has: ◦ Fewer than 1,000 customers in each of the last 3 years, AND◦ Less than $5M in gross annual revenue in each of last 3 fiscal
years, AND ◦ Less than $10M in year-end total assets per GAAP (including any
affiliates for purposes of the total asset calculation)… THEN, such entities are exempt from the Regs
requirements involving maintenance of specific cybersecurity personnel, app development, multi-factor authentication, training, encryption, audits and audit trails, and conducting vulnerability tests.
Everything else still applies!
05/01/2023IAPP KnowledgeNet 8
Limited Exemption
What about GLBA? Or other federal agency “guidance” and recommendations such FFIEC, SEC recommendations?
Are the NYDFS Regs pre-empted for federated regulated entities?
NO! The Regs expressly note they “duplicate” “to a very
limited extent” GLBA Sec. 421 requirements, but that state regs providing greater protections are expressly authorized under GLBA Sec. 6807(b).
05/01/2023IAPP KnowledgeNet 9
Gramm-Leach-Bliley?
Programs - A comprehensive Cybersecurity Program covering 8 cores functions Policies - A written Cybersecurity Policy, Third Party Infosec Policy, and Incident Response
Plan, each of which must address specific required items Personnel - Training, monitoring, appointment of a “qualified individual” as CISO, and
“sufficient” cybersecurity personnel (outside third parties can handle these functions) Technology - Infosec technology and practices, including:
◦ MFA, encryption (at rest and in transit), data retention limits, 6 years of audit train records, mandated training for all employees and specific cybersecurity training, and testing/risk assessment (including quarterly vulnerability assessments + annual penetration testing).
Third Party Vendor Requirements – Annual assessment of vendors’ cybersecurity practices and mandated contractual terms “to the extent applicable”, including: use of MFA, encryption, “prompt” notice of “any” Cybersecurity Event, ID protection services for customers, rep that any service or product is free of viruses, etc., and right to perform “cybersecurity audits”.
Reporting & Certification that includes:◦ CISO written report to board of directors at least 2x year (which DFS can request!);
Reporting to NYDFS of certain “Cybersecurity Events” within 72 hours of discovery; Annual certification by BoD or “Senior Officer(s)” of compliance with Regs to NYDFS by Jan 15 th of each year (with maintenance for 5 years of “records, schedules and data” supporting the certification).
05/01/2023 10
Regs Short List
Short 72 Hour Notifications to NYDFS and DFS can request all CISO reports
Expansive definition of “Nonpublic Information” that goes well beyond traditional PHI or PII definitions
Encryption everywhere of NPI – at rest and in transit 6 year retention of massive audit trail records, including
◦ Data sufficient to allow for “complete and accurate reconstruction of all financial transactions and accounting necessary… to detect and respond to a cybersecurity event”
◦ Detailed logging of all system event, sysadmin functions performed and all privileged access to critical systems
Third Party Vendor Requirements – Risk assessments, annual assessment of TPV cybersecurity practices, contractual requirements, including ID protection services and cybersecurity audit rights of vendors with NPI or systems
05/01/2023 11
Top 5 Reg Surprises
Cybersecurity Program to ensure “confidentiality, integrity and availability” of Information Systems, which must address: Minimum of 6 Core Functions – identify cyber risks, defensive infrastructure,
Cybersecurity Event detection, response and mitigation, recovery and regulatory reporting
Annual penetration testing and quarterly vulnerability testing Detailed audit trail logging and data retention Appropriate access privilege settings and access limitations Risk-based policies, procedures and controls to monitor unauthorized access Encryption of all Nonpublic Information – at rest and in transit Data retention limits and timely destruction of NPI no longer necessary Regular cybersecurity awareness training for all employees Secure application development – both internal & external Written Incident Response Plan Must be reviewed and approved by CISO annually
05/01/2023IAPP KnowledgeNet 12
Cybersecurity Program
Cybersecurity Policy detailing policies and procedures for protection of NPI and Information Systems.◦ Must at minimum address 14 areas, which are broad and open-ended (e.g.,
“capcicity and performance planning, customer data privcy, risk assessment, data governance and classification, etc.)
◦ May require existing Cybersecurity Policies to be reviewed and expanded given broad definition of NPI
◦ Must be updated “as frequently as necessary” but at least annually Third Party Information Security Policy to ensure security of
NPI and Information Systems “accessible to or held by” third party parties.◦ Identifying these parties and performing risk assessments◦ Specifying minimum cybersecurity practices such third parties must meet◦ Detailing due diligence processes to determine third party cybersecurity
adequacy◦ Annual assessment of third parties cybersecurity practices What is
enough?◦ Contractual requirements as we’ll see further. 05/01/2023 1
3
Policies
Chief Information Security Officer – Must be designated, who must be “qualified” and responsible for oversight, implementation and enforcement of Cybersecurity Program and Policy. ◦ Can be met through third party service providers (“outsourced CISO”)◦ of Short 72 Hour Notifications to NYDFS and DFS can request all CISO
reports New IT security personnel requirements
◦ Must “employ cybersecurity personnel sufficient to manage” cybersecurity risks and perform core cybersecurity functions
◦ Regular “cybersecurity update and training sessions” for all cybersecurity personnel (and annual cybersecurity training for everyone else)
◦ Require “key” cybersecurity personnel to “stay abreast of” cybersecurity threats and countermeasures
◦ Covered Entities can use “qualified third party” to assist these personnel requirements
05/01/2023 14
Personnel
Separate written Third Party Information Security Policy Periodic (at least annually) assessment of third party cybersecurity practices. Is a
questionnaire sufficient? Written minimum cybersecurity practices third parties must meet “in order for them to do
business” with Covered Entity. Typically contract Exhibit add-on And contractual provisions for third party contracts requiring the vendor “to the extent
applicable” to agree to:◦ Multi-Factor Authentication◦ Encryption in transit and at rest◦ Prompt notice for any Cybersecurity Event (even one not containing Covered Entity NPI) affecting
the third party vendor◦ Offer identity protection services (for unspecified length of time) to any Covered Entity customers
“materially impacted” by Cybersecurity Event due to third party’s “negligence or willful misconduct”◦ Reps and Warranties of no viruses, trap doors, time bombs “and other mechanisms that would
impact the security” of CE’s Information Systems or NPI◦ AND THE BIG ONE – “right of Covered Entity or its agents to perform cybersecurity audits” of the
third party
05/01/2023 15
Third Party Vendor Requirements
Biannual CISO report to board, which DFS can request:◦ Must assess security status, detail exceptions to cybersecurity policies/procedures,
identify cyber risk to CE, assess “effectiveness” of cybersecurity program, list remediation steps for any identified items, and summarize “all material Cybersecurity Events” that affected CE during time period of report.
Annual Certification to DFS by Jan 15 of each year using form specified by Regs◦ Certification that Board or Senior Office have reviewed “documents, reports,
certifications and opinions” as necessary, that “to best of knowledge” CE complies with Regs, and documents any areas requiring “material improvement, updating or resign” and any “remedial efforts planned and underway” as to such areas.
Must notify DFS Superintendent within 72 hours of discovery of (1) all Cybersecurity Events with “reasonable likelihood of materially affecting the normal operation of the CE or that affects NPI” and (2) of any identified “material risk of imminent harm” relating to CE’s cybersecurity program.
05/01/2023 16
Reporting & Notices
Security Best / Leading Practices Mapped to
Requirements
Agenda Risk Assessment (Section 500.09) Multi-Factor Authentication vs. Risk-Based Authentication (Section
500.12) Access Privileges (Section 500.07) Penetration Testing vs Vulnerability Assessments (Section 500.05 ) Application Security (Section 500.08) Third-Party Information Security (Section 500.11) Audit Trail & Data Retention (Section 500.06) Training & Monitoring (Section 500.14) Encryption (Section 500.15) Incident (Breach) Response (Section 500.16)
1
Best Practices Industry Best Practice Frameworks:
o FFIEC Cybersecurity Assessment Tool (https://www.ffiec.gov/cyberassessmenttool.htm)
o National Institute of Standards and Technology (NIST) CyberSecurity Self-Assessment Tool(https://www.nist.gov/sites/default/files/documents/2016/09/15/baldrige-cybersecurity-excellence-builder-draft-09.2016.pdf)
o US Cert Cyber-Resilience Review(https://www.us-cert.gov/ccubedvp/assessments)
Risk Assessment (Section 500.09)“Annually”, “conduct a risk assessment”, “in accordance with written policies and procedures”, that are “documented” and that “includes” a “criteria for the evaluation and a categorization of identified risks” considering “confidentiality, integrity, and available” of “systems” and the related “adequacy of existing controls”
Best Practices“Key” features and/or controls that need to be embedded within “Identity Management” solutions and/or the internal control environment:
Account Request Management - Ability to request, establish, modify, and/or terminate access.
Role-Based Access- Ability to manage groups, roles, permissions, and/or resources based on function/responsibility;
User Provisioning - Ability to periodically retrieve and recertify access based on organizational hierarchies and ownership.
Access Privileges (Section 500.07)“Limit access”, “to nonpublic information”, “to those individuals that require such access”, “to perform their responsibilities” and “periodically review such access”
Best PracticesMulti-Factor Authentication
o Knowledge Factorso Possession Factorso Inherence Factors
Risk-Based Authentication requiring additional verificationo Device Securityo Concurrent Logino Stale Account Logino Failed Login Attempts Exceed Thresholdso Behavioral Profiling
Multi-Factor Authentication vs. Risk-Based Authentication (Section 500.12)“Multi-Factor Authentication” requires “two of the following types of factors: 1) “Knowledge factors, such as a password”, 2) “Possession factors, such as a token or text message on a mobile phone” and/or 3,) Inherence factors, such as a biometric characteristic”.“Risk-Based Authentication is “authentication that detects anomalies or changes in the normal use patterns of a person” and “requires additional verification of the persons identity”.
“Multi-Factor Authentication” required “for any individual accessing the Covered Entity’s internal systems or data from an external network”.
“Multi-Factor Authentication” required for “privileged access” to database servers that allow access to Nonpublic Information.
“Risk-Based Authentication” required “in order to access web applications that capture, display or interface with Nonpublic Information”.
“Multi-Factor Authentication” required “for any individual accessing web applications that capture, display or interface with Nonpublic Information”.
Multi-Factor Authentication vs. Risk-Based Authentication (Section 500.12)(Continued)
Penetration Testing vs Vulnerability Assessments Practices (Section 500.05 )“Vulnerability assessment of”, “Information Systems at least quarterly”. “Penetration testing” of “Information Systems at least annually”.
Differences Vulnerability Scan Penetration TestPurpose Identify, rank, and report vulnerabilities
that, if exploited, may result in an intentional or unintentional compromise of a system.
Identify ways to exploit vulnerabilities to circumvent or defeat the security features of system components.
When At least quarterly or after significant changes.
At least annually and upon significant changes.
How Typically a variety of automated tools combined with manual verification of identified issues.
A manual process that may include the use of vulnerability scanning or other automated tools
Reports Potential risks posed by known vulnerabilities, ranked in accordance with NVD/CVSS base scores associated with each vulnerability.
Description of each vulnerability verified and/or potential issue discovered. More specific risks that vulnerability may pose, including specific methods how and to what extent it may be exploited. Examples of vulnerabilities include but are not limited to SQL injection, privilege escalation, cross-site scripting, or deprecated protocols.
Duration Relatively short amount of time, typically several seconds to several minutes per scanned host.
Engagements may last days or weeks depending on the scope of the test and size of the environment to be tested. Tests may grow in time and complexity if efforts uncover additional scope.
Industry Best Practice Frameworks: o Open Web Application Security Project (OWASP)o Web Application Security Consortium (WASC)o Others: The Federal Financial Institutions Examination Council (FFIEC),
and the National Institute of Standards and Technology (NIST). Industry Principles:
o Configuration Managemento Secure Transmissiono Authentication & Authorizationo Session Managemento Data Validation, o Output Encoding and Escapingo Cryptographyo Error Handlingo Risk Functionality
Application Security (Section 500.08)“Written procedures, guidelines and standards designed to ensure the use of secure development practices for in-house developed applications” and “assessing and testing the security of all externally developed applications”.
Privileged Account Best Practiceso Create and enforce policies that forbid the use of single, “all powerful”accounts.o Privileged Account Password Tools (one time password generation/expiration)o Leveraging privilege account monitoring & logging tools (e.g., Sudo, User Session
Monitoring & Recording Solutions, Virtual/Physcial Jump Stations) Audit Logging Best Practices
o Log events should be defined so human can read and understando Events need to be timestampedo Unique Identifiers should be defined for each auditable activity (IDs)o Log in a text format (not binary)o Identify the source of the evento Limit the ability to access logs and restrict the ability to modify logs (WORMs
drives, .
Audit Trail & Data Retention (Section 500.06&.14)“Cybersecurity program” that includes the ability to “track and maintain data” for the complete and accurate reconstruction of all transactions and accounting”, the “logging of all privileged user access to critical systems”, that “protects the integrity” of any “audit trail” or “hardware”, “from alteration or tampering” that is maintained “for not fewer than six years”.
Best Practiceso In-Transit vs At Resto Symmetric vs Asymmetrico Advanced Encryption Standard (AES)o Questions Impacting Encyrption
Decisions
Encryption (Section 500.15)“Encrypt all nonpublic information” “in transit” within “one year from the date this regulation become effective” or “five years” for nonpublic information “at rest” with adequate “compensating” control between the regulation effective date and transition period.
Policyo Teamo Response Plan/Strategyo Communicationo Documentationo Trainingo Testing
Identification Containment Eradication Lessons Learned
Incident (Breach) Response (Section 500.16)“Establish a written incident response plan designed to promptly respond to, and recover from, any Cybersecurity Event”
Questions and Answers?
Richard Santalesa, Esq, CIPP-US
Sm@rtEdgeLaw Group &
Bortstein Legal GroupPhone: (203) 307-2665
www.blegalgroup.comwww.linkedin.com/in/rsantalesa
05/01/2023 29
Thank you!Jon Bosco
Partner eDelta Consulting
Phone: (646)[email protected]
LinkedIn:https://www.linkedin.com/in/jon-bosco-