Why You Should Care About the NY DFS Cybersecurity Regulation
In an already highly regulated industry like financial services, adding another compliance requirement should have little effect. However, when the New York Department of Financial Services (NY DFS) issued 23 NYCRR 500, which went into full effect in 2019, many of the cybersecurity requirements seemed overwhelming to even the largest financial institutions. With limited guidance regarding its new cybersecurity rules , in July 2020, the NY DFS released its first enforcement action reminding the industry of why everyone should care.
What is the NY DFS Cybersecurity Regulation and why should you care
In the last three years, cybersecurity regulatory requirements and industry standards have come a long way. On its March 1, 2017, release date, the NY DFS Cybersecurity Regulation made headlines for creating a multitude of compliance requirements now considered best practices.
Continuous Controls Monitoring
First, and probably most importantly, the Cybersecurity Regulation was one of the first regulations to require continuous monitoring.
According to 500.15, “Penetration testing and vulnerability assessments,”:
The cybersecurity program for each covered entity shall include monitoring and testing, developed in accordance with the covered entity’s risk assessment, designed to assess the effectiveness of the covered entity’s cybersecurity program. The monitoring and testing shall include continuous monitoring or periodic penetration testing and vulnerability assessments. Absent effective continuous monitoring, or other systems to detect, on an ongoing basis, changes in information systems that may create or indicate vulnerabilities
Many organizations still relied on traditional audits that only provided cybersecurity controls assurance for a designated period of time. However, the Cybersecurity Regulation recognized that the continuous evolution of malicious actor threat methodologies meant that controls securing data today could be outdated tomorrow.
Continuous controls monitoring, now considered best practices, became more formalized under this law.
Third-Party Vendor Risk Management
Second, the Cybersecurity Regulation codified the requirement that companies monitor their third-party vendors and reinforced that organizations be held responsible for data breaches occurring in their supply chain.
Of note, the regulation requires as part of 500.11, “Third party service provider security policy,” the following:
- (a)(4): periodic assessment of such third party service providers based on the risk they present and the continued adequacy of their cybersecurity practices.
As part of establishing a Cybersecurity Regulation compliant vendor risk management program, many organizations looked to monitor their vendors’ cybersecurity posture continuously. With this approach, many companies looked to provide assurance that they monitored their supply chain partners as diligently as they monitored their own security.
Who is a covered entity under 23 NYCRR 500?
23 NYCRR 500 defines a “covered entity” as any person or entity required by Banking Law, Insurance Law, Financial Services Law to operate under a license, registration, charter, certificate, permit, accreditation, or similar authorization.
Examples of covered entities include:
- Commercial banks
- Credit unions
- Health insurers
- Life insurers
- Licensed lenders
- Private banker
- Savings and loans associations
Finally, the regulation placed responsibility for governing and approving the program on a company’s senior officers, defined as individuals or committees responsible for the management, operations, security, information systems, compliance, and/or risk of a covered entity.
Why the Cybersecurity Regulation focuses specifically on encryption
Although many regulations hint at controls rather than laying them out specifically, the NY DFS Cybersecurity Regulation clearly states that encryption acts as a primary security control protecting data.
First, under section 500.15, it requires encryption of non-public information stating:
As part of its cybersecurity program, based on its risk assessment, each covered entity shall implement controls, including encryption, to protect nonpublic information held or transmitted by the covered entity both in transit over external networks and at rest.
However, encryption is also listed under section 500.11(c)(2), requiring that vendors’ policies and procedures incorporate the “use of encryption as required by section 500.15 of this Part to protect nonpublic information in transit and at rest.”
In short, all organizations throughout the NY DFS regulated supply chain need to use encryption as a fundamental control for protecting customer data security.
The NY DFS reaffirmed encryption’s importance on April 13, 2020, in its “Guidance to Department of Financial Services (“DFS”) Regulated Entities Regarding Cybersecurity Awareness During COVID-19 Pandemic (the Guidance).” The Guidance explicitly notes that the “abrupt shift to mass remote working” created “new security challenges” and that regulated entities’ needed to ensure “secure connections,” including security risk.
For example, organizations need to prove that all data remains encrypted while in-transit or at-rest. This includes information shared, particularly as part of a collaborative, distributed workforce.
Ultimately, not only do organizations need to encrypt data at-rest and in-transit, they need to provide documentation proving that this control remains effective at all times, even across a distributed workforce.
Has the NY DFS enforced the regulation?
In July 2020, the NY DFS released its first enforcement action. Regarding the timing, organizations should take note that New York state was a coronavirus hot spot during Spring 2020. Considering the impact this had on the state’s economy, the NY DFS still pushed forward with its enforcement action, indicating that it would give few or no breaks to companies during this time.
A look at the charging document gives insight into the NY DFS position and the value that encryption would have provided as a mitigating control. According to the charging document, the business at issue left sensitive personal data exposed, despite knowing that a vulnerability existed. From at least October 2014 through May 2019, the company had a public-facing web application that left sensitive personal information exposed. The NY DFS detailed the multiple points of failure that led to the exposure’s longevity, including:
- Grossly underestimating risk
- Ignoring internal cybersecurity staff
- Failing to follow organizational policies
- Lacking adequate sample size during document review
- Compounding administrative error
- Assigning an unqualified employee to remediation effort
The charging document explains that the organization’s image repository contained 753 million documents and tagged 65 million of those as containing non-public personal information (NPI). A random sampling of 1000 documents, however, showed that 30% contained NPI and were not tagged as such. Additionally, individuals involved in transactions were able to email document links, and that anyone who had the link or URL for the website could access the data without the need for a login ID or authentication.
By changing the URL, cybercriminals would be able to gain access to sensitive information.
Take the following records:
- Jane Doe: www.website.com/12345
- John Smith: www.website.com/123456
The last character of the URL is the only difference between these two records. A cybercriminal with access to one of these would be able to “guess” at additional records, leaving them at risk.
Equally important, based on the charging document, neither information at-rest nor in-transit appeared to be encrypted. Had the organization subject to this violation incorporated end-to-end encryption, at least some of the risk could have been mitigated.
Why full disk encryption alone cannot satisfy NY DFS Cybersecurity Regulation compliance
As organizations rapidly accelerate their digital transformation strategies, they need to go beyond full disk encryption to ensure that all data collected, stored, and transmitted remains secure.
Full disk encryption protects data stored on devices, often intending to block data loss rising from device theft. However, as organizations shift to cloud-first or cloud-only models, this provides little security over data stored in these locations.
Organizations need to incorporate new technologies that encrypt data stored in the cloud, provide documentation proving governance, and are easy for end-users.
Building encryption into business practices with Atakama
Atakama offers a holistic, user-friendly approach to data encryption. Files saved to Atakama-enabled folders are automatically encrypted with AES 256 key bits, and can be located on a user’s network, drive or in the cloud. When a user requests to open an Atakama-encrypted document, a push notification is sent to the person’s approved secondary device, similar to multi-factor authentication notifications. Once the user confirms that they are who they say they are, the file opens instantly in the user’s preferred format, such as Word.
For organizations that need to prove continuous controls’ monitoring, Atakama has a logging feature that shows a detailed history showing which file access requests, including when they occurred and whether the access was granted, denied, or timed out.
To see how the software works in action or for more information please email info@atakama.com.