NYDFS: Achieving the New Risk Assessment Requirement
In 2017 the New York State Department of Financial Services (NYDFS) enacted cybersecurity regulations for entities operating within the financial services industry – No other state has issued such regulations. This statute is similar to the federal FFIEC guidance that includes a comprehensive cybersecurity assessment test (FFIEC CAT). The new regulation has strict requirements for data retention and breach reporting. There are rules defined for the basic principles of documentation for all security policies, risk assessments, and data security.
The purpose of these new requirements are to protect sensitive and non-public consumer information that could be used to identify someone.
That said, executing a proper risk assessment is the foundation of your cybersecurity program and NYDFS compliance. The purpose of these new requirements are to protect sensitive and non-public consumer information that could be used to identify someone. The best way to prevent this from happening and simultaneously maintain compliance is to rely heavily upon risk assessment, taking note of gaps in your security posture before they become problems.
The new regulation NYDFS Section 500.09(a), states that it is “designed to promote consumer information protection while simultaneously protecting Information technology systems used by regulated entities.” This new regulation requires every company to conduct a risk assessment and implement a program thereafter with security controls necessary to detect and respond to any cyber attacks to which the company is currently exposed. The intent of the regulation is to conduct a thorough and holistic, documented risk assessment.
It is important to understand that these regulatory changes are recurring and not a one-off. So, your organization will need to make changes going forward that are long lasting knowing that compliance will continue to remain an industry-wide requirement.
Risk Assessment Policies and Procedures – NYDFS Section 500.09(b)
Who’s required to comply?
Achieving risk assessment compliance begins by determining which organizations are subjected to this new regulation. This includes:
- Commercial banks
- Foreign banks
- Mortgage brokers
- Savings and loan associations
- Life insurance companies
- Investment companies
- Private bankers
- Credit unions
- Health insurers
- Licensed lenders
There are a few exemptions to the above list. Companies that fall under at least one the following criteria are not required to comply:
- Less than $10M in year end total assets under Generally Accepted Accounting Principles (GAAP)
- Have fewer than 10 employees (including independent contractors)
- No storing or processing of nonpublic information
- Less than $5M in gross annual revenue in each of the last three fiscal years from NY business operations
Criteria for the evaluation and categorization of identified cybersecurity risks or threats facing the covered entity.
In fact, organizations are currently asked to assess their existing security risks and subsequently develop policies for system monitoring, classification, data governance, access controls, and incident responses and recoveries. Companies are being called to implement specific controls as part of the compliance standards.
Criteria for the assessment of the confidentiality, integrity, security, and availability of the covered entity’s information systems and nonpublic information, including the adequacy of existing controls in the context of identified risks include a handful of new implementations.
Risk Assessments – Covered entities are required to conduct risk assessments periodically in order to assess the confidentiality, security, integrity, and availability company its infrastructure.
Audit Trail – Covered entities will also need to implement an audit trail which is designed to record cybersecurity events and responses therein. All of these records will need to be maintained for 5 years.
Data Retention – There are new limitations on data retention that state covered entities must securely dispose of consumer information that is no longer necessary for daily operations of the business or any other legitimate business purpose.
Access Privileges – Covered entities will also have to limit the access privileges to such sensitive information and periodically review.
Requirements describing how identified risks will be mitigated or accepted based on the Risk Assessment and how the cybersecurity program will address the risks.
Organizations need to outline and describe how they will address risks within their cybersecurity program. Employee response should also be tested to ensure that their protocols are being followed and that they are effective.
Use defensive infrastructure and the implementation of policies and procedures to protect the Covered Entity’s Information Systems, and the Nonpublic Information stored on those Information Systems, from unauthorized access, use or other malicious acts.
Covered entities need to develop written plans that document all internal processes for responding to cybersecurity events. This information should include every role and responsibility, communication plan, and any necessary remediations of control. If a cybersecurity event has been detected, notices to the superintendent must be received within 72 hours.
A successful risk assessment process for NYDFS compliance
Covered entities are expected to periodically conduct risk assessments but it’s going to be up to each entity to determine how frequently things like these are done, so long as the minimum annual assessment is met.
Organizations might choose to complete the risk assessment two or three times per year if necessary. Covered entities must take a thoughtful approach to the process. A certain level of granularity is desired – detailed but not overwhelming.
Risk assessment is used as a baseline to justify actions, and therefore the results of risk assessments and the more frequent risk assessments conducted, the easier it will be for entities to take a thoughtful approach and justify different actions throughout the year.
Risk assessment methodology for NYDFS compliance
The risk assessment methodology required for compliance stipulates that covered entities need to identify critical assets and classify them. After that, they should identify and assess any of cybersecurity threats. Once this is done covered entities need to align the cybersecurity threats to assets and map any of those threats to controls. The final step is to determine the effectiveness of those controls.
Developing the methodologies and what to do with it next
Long-term sustainability should be a key theme when you’re constructing your risk assessment methodology. It can be easy to go with the one and done approach of using a spreadsheet or by bringing in an outside consultant but a system that builds off and expands previous year’s work and responses will help you leverage your efforts much better in the long term. Making the risk assessment process more efficient by using workflow automation software will help you build off your previous workload. There are two big pain points near term – last year’s risk assessment requirements and this year’s vendor assessment. Knowing that you have an annual assessment coming up presents an opportunity to come up with a better process. This regulation is here and not going away (will happen yearly). You might as well invest in a workflow solution now.
Making the process more efficient
In order to make the process more efficient for your organization you should start by reviewing your most critical assets first. To stay in line with best practices, you should go back and review your critical assets on a regular basis. In fact, remember that since this is an ongoing process your first attempt doesn’t have to be perfect. You can always continue to look back on your risk assessments and related processes as you move forward, making changes and improvements on a regular basis. Another way that you can make the process more efficient is to use automation tools to save time and money.
NIST CST and FFIEC CAT are two gold standards for risk assessments in the financial services industry. FFIEC CAT is more comprehensive and financial specific but maps back to NIST CSF. With workflow automation software you could do one comprehensive assessment, but report off of (demonstrate compliance to) others via good software.\
You can also use software to achieve compliance more efficiently by relying upon a unified platform to manage all documents and reports which will no doubt make it easier to search information necessary to comply with the audit trail requirement. This type of tool would also make it easier to map who has access to which systems or files in order to comply with the access privileges portion of the regulation.
There are upcoming vendor assessment requirements in March 2019, but you can make sure you are compliant by addressing data classification first and foremost. Your security team will need to conduct the data classification aspect of the risk assessment first so that sensitive data can be evaluated for potential risk and access to said data given to only those who need it. There will be additional training requirements for security staff and reports no longer focus only on situations where information was stolen but on situations where someone attempted nefarious actions.
You can use workflow automation software to achieve compliance more efficiently by relying upon a unified platform to manage all documents and reports which will no doubt make it easier to search information necessary to comply with the audit trail requirement. Workflow automation software can also make it easier to map who has access to which systems or files in order to comply with the access privileges portion of the regulation.
Financial information continues to be a significant driver in breaches, and the NY DFS Cybersecurity regulation aims to curb some of those breaches by requiring appropriate controls are in place. Take the next step toward compliance by performing a risk assessment today!”