Written by: Richard Rocchio
Effective November 1, 2023, the New York State Department of Financial Services (NYDFS) adopted amendments to its cybersecurity regulation, 23 NYCRR Part 500. The amendments better align with current industry best practices. Initial updates will take effect on December 1, while policy and procedure updates will not take effect until April 2024. Below, we look at NYDFS’ term definitions, as well as new regulatory changes.
NYDFS documented new definitions for the following terms:
- Chief Information Security Officer (CISO) – A qualified individual responsible for overseeing and implementing a covered entity’s cybersecurity program and enforcing its cybersecurity policy.
- Cybersecurity Incident – A cybersecurity event that has occurred at the covered entity, its affiliates, or a third-party service provider that meets any of the following criteria:
- The event impacts the covered entity and requires the covered entity to notify any government body, self-regulatory agency, or any other supervisory body,
- The event has a reasonable likelihood of materially harming any material part of the normal operation(s) of the covered entity, or
- The event results in the deployment of ransomware within a material part of the covered entity’s information systems.
- Independent Audit – An audit conducted by internal or external auditors who are free to make decisions not influenced by the covered entity being audited or by its owners, managers, or employees.
- Privileged Account – Any authorized user account or service account that can be used to perform security-relevant functions that ordinary users are not authorized to perform, including but not limited to the ability to add, change, or remove other accounts, or make configuration changes to information systems.
- Risk Assessment – The process of identifying, estimating, and prioritizing cybersecurity risks to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, customers, consumers, other organizations, and critical infrastructure resulting from the operation of an information system. Risk assessments incorporate threat and vulnerability analyses and consider mitigations provided by security controls planned or in place.
- Senior Governing Body – The board of directors (or an appropriate committee thereof) or equivalent governing body or, if neither of those exists, the senior officer or officers of a covered entity responsible for the covered entity’s cybersecurity program. For any cybersecurity program or part of a cybersecurity program adopted from an affiliate under section 500.2(d) of this Part, the senior governing body may be that of the affiliate.
There are significant updates in each area of cybersecurity that may require additional professional services and technology implementations.
Asset Management
As a part of the new regulation, covered entities must now conduct annual penetration testing “from both inside and outside the information systems boundaries.” This is to be defined as two different assessments, an internal penetration test and an external penetration test. Additionally, there are specific policy updates that must be made if an entity does not already have a risk-based timeline for remediation of vulnerabilities found. Most commonly, Wolf sees patch management Service Level Agreements (SLAs) requiring critical and high-risk patches to be applied within 30 days, medium-risk patches in 60 days, and low and informational patches within 90 days. The regulation now also calls out specific attributes that must be captured in an entity’s asset inventory. The list can be found in Wolf’s client alert on this new release.
Access Privileges & Management
The main theme for the updates to access management was the principle of least privilege. This also extends to user actions, where the new regulation calls for limiting the use of privileged accounts to only when the privileges are required. If a user were to perform a “normal” action, they should use their account with limited access and permissions. The new regulation also requires entities to implement and maintain a privileged access management solution.
Entities are additionally required to “promptly terminate access following departures.” While this is open-ended, Wolf typically sees entities implement a control requiring all terminated users to be removed immediately at the time of termination, or within 2-3 business days at the latest. Another approach Wolf commonly sees is entities disabling network or active directory access immediately and then removal of other systems within a week or month.
Authentication
The newly published regulation states that “Multi-factor Authentication (MFA) shall be utilized” for any individual accessing any information systems.” In addition to MFA, entities must implement an automated solution to block commonly used passwords for all information systems. Commonly used passwords are typically names, usernames, seasons, and common dictionary words. These new requirements build off of the existing requirements that require entities to implement and maintain an entity-wide password standard.
If these controls cannot be implemented, the CISO must document a compensating control to mitigate this risk and review these controls annually for accuracy.
Monitoring
Specific updates to monitoring include requirements on implementing technologies to detect and respond to anomalous activity, such as lateral movement through a network and elevation of privileges. There is also a new requirement for entities to have a centralized logging solution. While both of these requirements are new to NYDFS requirements, these controls have been best practices required by other regulatory agencies such as the FDIC.
In the event of a cybersecurity incident or significant change, the CISO is required to report this to the senior governing body or senior officials in a timely manner. While the definition of a timely manner is not explicitly stated, notification of cyber incidents or events must be given to the primary regulator within thirty-six hours. In addition to notifying the regulatory agency, CISOs should also notify their senior governing body. For less urgent matters, such as significant changes to policies and procedures, reporting should be completed at the next scheduled governing body meeting.
Annual Reviews
In addition to reviewing the Information Security Program, there are numerous items throughout the new regulations that covered entities will be required to review annually for updates and accuracy. These items are:
- Risk Assessments
- Encryption of Data
- Business Continuity Plan & Testing
- Incident Response Plan & Testing
In addition to the listed items, any exceptions to NYDFS requirements should have a written exception and documentation of compensating controls by the CISO. These are to be reviewed annually for accuracy.
Institutions affected by these amendments should work towards implementing these takeaways as soon as possible and implement additional policy updates before April 15, 2024. Wolf has experience with a significant amount of New York state institutions that are required to comply with NYDFS and is available to discuss full reviews and gap assessments if needed. Reach out to our IT Audit team today for assistance with meeting these new requirements. Alternatively, if your organization needs an expert who can bridge the gap between regulatory obligations and business objectives, our expert Virtual Chief Information Security Officers (vCISOs) are there to help.
