NEW YORK’S CYBERSECURITY REGULATION Update September 2018

The landmark NYS DFS cybersecurity regulation that took effect in New York State in March 2017 is approaching its third of four signposts. This was the first regulation of its kind that included prescriptive direction for the protection of personally identifiable information handled by all financial institutions that conduct business in the State.

The previous signposts included Policy creation, such as having a cybersecurity program, and an incident response plan. Within the second signpost specifically, there were some more technical items, including multi-factor authentication for remote access as well as penetration testing.

The next set of signposts are set to take effect on September 4th, and they are amongst the toughest from a technical standpoint. They include data encryption (in transit and at rest), five-year audit trails and limitations on data security.

What is required on September 4, 2018?

Starting September 4th, companies will be required to have commenced mandatory annual reporting to the board by the Chief Information Security Officer concerning critical aspects of the cybersecurity program, have an audit trail designed to reconstruct material financial transactions sufficient to support normal operations in the event of a breach, and will need to have policies and procedures in place to ensure the use of secure development practices for IT personnel that develop applications for the Covered Entity. Companies also must implement encryption to protect nonpublic information held or transmitted by the company. Entities are also required to have developed policies and procedures to ensure secure disposal of information that is no longer necessary for the business operations, and must have implemented a monitoring system that includes risk based monitoring of all persons who access or use any of the company’s information systems or who access or use the company’s nonpublic information.

With the eighteen month transitional period ending Covered Entities are required to be in compliance with the requirements of sections 500.06, 500.08, 500.13, 500.14(a) and 500.15 of 23 NYCRR Part 500.

Section 500.06 Audit Trail:

1)    Each Covered Entity shall securely maintain systems that, to the extent applicable and based on its Risk Assessment:

a)     are designed to reconstruct material financial transactions sufficient to support normal operations and obligations of the Covered Entity; and

b)    include audit trails designed to detect and respond to Cybersecurity Events that have a reasonable likelihood of materially harming any material part of the normal operations of the Covered Entity.

2)    Each Covered Entity shall maintain records required by section 500.06(a)(1) of this Part for not fewer than five years and shall maintain records required by section 500.06(a)(2) of this Part for not fewer than three years.

Section 500.08 Application Security.

1)    Each Covered Entity’s cybersecurity program shall include written procedures, guidelines and standards designed to ensure the use of secure development practices for in-house developed applications utilized by the Covered Entity, and procedures for evaluating, assessing or testing the security of externally developed applications utilized by the Covered Entity within the context of the Covered Entity’s technology environment.

2)    All such procedures, guidelines and standards shall be periodically reviewed, assessed and updated as necessary by the CISO (or a qualified designee) of the Covered Entity.

Section 500.13 Limitations on Data Retention.

1)    As part of its cybersecurity program, each Covered Entity shall include policies and procedures for the secure disposal on a periodic basis of any Nonpublic Information identified in section 500.01(g)(2)-(3) of this Part that is no longer necessary for business operations or for other legitimate business purposes of the Covered Entity, except where such information is otherwise required to be retained by law or regulation, or where targeted disposal is not reasonably feasible due to the manner in which the information is maintained.

Section 500.14 Training and Monitoring.

1)    As part of its cybersecurity program, each Covered Entity shall:

a)     implement risk-based policies, procedures and controls designed to monitor the activity of Authorized Users and detect unauthorized access or use of, or tampering with, Nonpublic Information by such Authorized Users; and

b)    provide regular cybersecurity awareness training for all personnel that is updated to reflect risks identified by the Covered Entity in its Risk Assessment.

Section 500.15 Encryption of Nonpublic Information.

1)    As part of its cybersecurity program, based on its Risk Assessment, each Covered Entity shall implement controls, including encryption, to protect Nonpublic Information held or transmitted by the Covered Entity both in transit over external networks and at rest.

a)     To the extent a Covered Entity determines that encryption of Nonpublic Information in transit over external networks is infeasible, the Covered Entity may instead secure such Nonpublic Information using effective alternative compensating controls reviewed and approved by the Covered Entity’s CISO.

b)    To the extent a Covered Entity determines that encryption of Nonpublic Information at rest is infeasible, the Covered Entity may instead secure such Nonpublic Information using effective alternative compensating controls reviewed and approved by the Covered Entity’s CISO.

c)    To the extent that a Covered Entity is utilizing compensating controls under (a) above, the feasibility of encryption and effectiveness of the compensating controls shall be reviewed by the CISO at least annually.

Who needs to comply?

All financial service companies that are licensed in New York State are subject to the requirements of this regulation. This includes nonresident licensees. Covered entity means “any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.”

About Prager Metis Technology

PragerMetis Technology (PMT) is the technology arm of PragerMetis, a top 60 accounting firm. Offices in New York, Miami, Los Angeles, London and India.  PMT is located in the firm’s Woodbury office. The firm specializes in cybersecurity, risk intelligence, advanced analytics, regulatory compliance, blockchain, cryptocurrencies and other technology solutions.

For more information contact: