What you need to know about New York's cybersecurity regulation
Monday, August 28, 2017 marked the first compliance deadline for the New York Department of Financial Services' (NYDFS) cybersecurity regulation 23 NYCRR 500. For those of you in organizations regulated by the DFS, you probably already know 23 NYCRR 500 was first implemented in March last year with the goal of establishing minimum security guidelines to protect financial institutions and their customers from cyber attacks.
The requirements span several security areas, but one recurring theme is the need for visibility into risks and ensuring only the right people have access to sensitive data. Read on for an overview of the regulation and how identity and access management can help with several of these compliance requirements.
I’m not based in NY – why should I care?
At first glance, it may look like you’re off the hook if you’re not part of a banking, insurance, or financial organization regulated by the DFS. But it might be worth taking a closer look – the regulation’s reach can be broader. For example, if your organization is an out-of-state bank with branches in New York, you still need to comply. And because New York is now also a global financial hub, the same goes for international financial organizations operating in New York. Have financial services organizations as your clients or partners? Requirements for third party service providers might affect you, too. In short, if you’re doing any finance-related business in New York, you might also want to pay attention.
So what does this first deadline mean?
The different sections of 23 NYCRR 500 had various deadlines, so don’t panic yet if you’re still in the process of implementing all your changes. Monday’s date marked the first phase of compliance requirements, which included:
- Establishing a cybersecurity program,
- Creating and following a set of cybersecurity policies,
- Assigning a CISO,
- Limiting and periodically reviewing user access privileges,
- Hiring qualified cybersecurity personnel, and
- Establishing a written incident response plan.
Many of these requirements probably already existed in some form in your organization, but for all you procrastinators and perfectionists still tweaking details, you have until February 15, 2018 before you have to submit your first certification of compliance.
What's coming up next?
The remainder of the requirements are due in 2018 and 2019, so you’ve got some time. The next requirement deadline is March 1, 2018, where you’re supposed to have processes in place to:
- Establish periodic penetration testing and vulnerability assessments,
- Conduct periodic risk assessment of information systems,
- Use multi-factor authentication or risk-based authentication,
- Provide regular cybersecurity awareness training, and
- Deliver an annual report by the CISO to the board of directors on the cybersecurity program and any risks.
After that, the next deadline is the eighteenth month mark after the regulation’s passing, September 3, 2018. That’s when organizations need to meet the following to stay compliant:
- Maintain records and audit trails,
- Establish and follow guidelines for application security,
- Limit data retention and establish proper procedures for safe data disposal,
- Monitor and detect unauthorized access of sensitive information, and
- Encrypt nonpublic data in motion and at rest.
The final due date involves making sure your cybsersecurity ducks are still in a row when it comes to your third party security providers. You’ve got until March 1, 2019 to create and apply security polices to third party providers accessing your data.
How Okta can help.
As an identity and access management leader, Okta can help your organization meet the access and authentication requirement portions of 23 NYCRR 500.
Requirements like limiting user access privileges, conducting risk assessments, and monitoring access of sensitive information hinges on the ability to have visibility into who has access to what. Solutions like Okta's Lifecycle Management can help build a holistic map of users and data access permissions and reveal any risk factors where users might have excess privileges. Admins can also easily take action to add, remove, or change users' access to applications. Our robust reporting and API also gives you the ability to monitor authentication events and integrate with other security tools for effective detection of security risks.
One of the explicit requirements due in March is also using multi-factor or risk-based authentication. Okta’s Adaptive Multi-factor Authentication (AMFA) solution satisfies this requirement with the simplicity end users want and ease-of-management admins appreciate. But our approach also takes security a step further by encouraging strong authentication across all applications, not just non-public systems or when accessing from an external network only. Modern cyber attacks take advantage of phishing and social engineering to get credentials, making any application a critical app. So use this regulation to re-examine how identity can play a larger role in your organization’s overall security.