It’s that time again. The third compliance deadline for New York’s sweeping new cybersecurity regulation is less than three weeks away.
That means five new requirements must be in place by September 4, 2018.
And late last week, New York State Department of Financial Services Superintendent Maria T. Vullo issued a “reminder” to financial institutions and insurance companies covered by the regulation. “September 4th marks another important milestone in further protecting the financial services industry and the consumers they serve from the threat of cyber-attacks thanks to DFS’s landmark cybersecurity regulation,” said Superintendent Vullo.
“These new protections … add crucial tools to the regulation’s prior requirements in protecting the institutions and consumers.”
Here’s a brief overview of the Sept. 4th compliance requirements:
Audit Trails
The audit trail requirement is two-fold, both based on the organization’s risk assessment. First, it requires covered organizations to maintain audit trails that “are designed to reconstruct material financial transactions sufficient to support normal operations and obligations of the Covered Entity.” Second, the regulation requires the maintenance of “audit trails designed to detect and respond to Cybersecurity Events.” The audit trails must be maintained for five years for material financial transactions and three years with respect to the detection of cybersecurity events. These requirements are found in Section 500.06 of the regulation.
Application Security
Section 500.08(a) requires that an organization’s cybersecurity program include “written procedures, guidelines and standards designed to ensure the use of secure development practices for in-house developed applications utilized … and procedures for evaluating, assessing or testing the security of externally developed applications….” Again, the scope of this provision is based on the entity’s risk assessment.
Limitations on Data Retention
As part of their cybersecurity programs, Section 500.13 requires organizations to implement policies and procedures for the periodic secure disposal of any nonpublic information “that is no longer necessary for business operations or for other legitimate business purposes.” Exceptions are made for data required to be maintained by law or regulation or where disposal is not feasible because of the way it is stored.
Monitoring
Covered entities are also required to ‘implement risk-based policies, procedures and controls designed to monitor the activity of Authorized Users [defined as “any employee, contractor, agent or other Person that participates in the business operations … and is authorized to access and use any Information Systems and data of the Covered Entity.”] and detect unauthorized access or use of, or tampering with” nonpublic information. That requirement is found in Section 500.14(a) of the regulation.
Encryption of Nonpublic Information
Finally, section 500.15 requires the implementation of controls, including encryption, of nonpublic information both at rest in an organization’s internal environment and in transit over external networks. As you might remember, DFS cut back the scope of this provision during the comment period by limiting encryption to external networks.
One question raised by the “data at rest” requirement is its scope and the operational issues inherent in encrypting data sitting on an organization’s servers, hard drives, portable media or other storage devices. Because this requirement is also based on the risk assessment, covered businesses will need to take a close look at the risks posed by such data and whether it is feasible to use encryption.
What if encryption isn’t feasible? Section 500.15 permits the use of alternative compensating controls for both encryption at rest and in transit. The use of alternatives to encryption must be reviewed and approved by an organization’s chief information security officer at least annually.
In the coming weeks, we’ll take a closer look at these new requirements.
