The Hits Keep Coming: More Transitional Cybersecurity Requirements in New York
It has been more than a year and a half since the New York Department of Financial Services’ cybersecurity regulations (cyber rules) came into effect, and yet another compliance deadline has passed.
Broadly, “covered entities” — insurers, individual brokers, agents or adjusters licensed by or registered with the NYDFS — were required to have implemented audit trails so security incidents can be detected and responded to quickly and material financial transactions can be reconstructed in the event that electronic data is modified or erased.
In addition, the cyber rules require written and implemented policies for, among other things, the retention and disposal of nonpublic information. Likewise, a business should have implemented encryption or other commensurate controls to protect the confidentiality and integrity of data in transit and at rest.
Indeed, all of the foregoing should have been completed by September 3rd in order to file next year’s certification of compliance with the superintendent of financial services no later than Feb. 15, 2019.
In case you are unsure if your efforts this year have complied with the new cybersecurity regulations, here is a more detailed description of your most recent obligations as they are set forth in the cyber rules:
Audit Trails (new for September 2018)
Based on its risk assessment, each covered entity shall securely maintain systems that, to the extent applicable:
- are designed to reconstruct material financial transactions sufficient to support normal operations and obligations of the covered entity; and
- include audit trails designed to detect and respond to cybersecurity events that have a reasonable likelihood of materially harming any material part of the normal operations of the covered entity.
Breaking this down, the first requirement focuses on your ability to recover data whose integrity/validity has been affected, such as in the case of ransomware or data modification attacks. The second requirement is focused on your ability to identify and track potential attacks on your networks, regardless of whether data is modified. This could involve maintaining system or firewall logs, monitoring unsuccessful login attempts, account logins during odd hours or from unusual time zones or other indicators that may suggest your system has been compromised.
Each covered entity’s cybersecurity program shall include written procedures, guidelines and standards designed to ensure the use of secure development practices for in-house developed applications utilized by the covered entity and procedures for evaluating, assessing or testing the security of externally developed applications utilized by the covered entity within the context of its technology environment. These procedures shall be periodically reviewed and updated as necessary by the CISO (chief information security officer) or a qualified designee of the covered entity.
If you are developing your own software products, whether internally or through an independent developer, this requirement focuses on your ability to incorporate secure development practices. This involves factoring in security throughout the entire data life-cycle, from the moment it is collected through processing, storage, and ultimately, data destruction, dictated in part by your data retention policy — you have one of those, right?
Limitations on Data Retention
Speaking of which, each covered entity shall include policies and procedures for the secure disposal on a periodic basis of any non-public information that is no longer necessary for business operations or other legitimate business purposes of the covered entity, except where such information is required to be retained by law or where targeted disposal is not feasible due to the manner in which the information is maintained. Data retention has also become a hot topic under the EU’s General Data Protection Regulation, which became enforceable on May 25, 2018.
Training and Monitoring
Each covered entity shall implement risk-based policies and controls designed to monitor the activity of authorized users and detect unauthorized access or tampering with nonpublic information by such authorized users. In other words, you should have systems in place that can monitor user activity (for example, data loss prevention, or DLP, and intrusion detection/prevention systems, or IDS/IPS), designed to trigger alerts if either an unauthorized user accesses your systems or an authorized user starts accessing nonpublic information. This regulation focuses on the risk of insider threats, an issue too often overlooked when organizations focus on security primarily at their network borders.
Encryption of Nonpublic Information
Based on its risk assessment, each covered entity shall implement controls, including encryption, to protect nonpublic information held or transmitted by the covered entity both in transit over external networks and at rest. To the extent a covered entity determines that encryption of nonpublic information in transit over external networks is infeasible, the covered entity may instead secure such nonpublic information using effective alternative compensating controls reviewed and approved by its CISO.
So does this mean you need to encrypt all of your data? Not necessarily. There are many benefits to encryption — for example, exfiltrated data encrypted with a strong encryption standard without an encryption key is essentially a blob of useless data that will take more effort to crack than it is worth. However, the cyber rules acknowledge encryption may not be the most appropriate control in all cases and leave the door open for compensating controls. This does not mean encryption is optional, but if you have another control to protect the data that is commensurate with encryption, that could potentially be an acceptable alternative.
Again, your certification of compliance is due to the superintendent by Feb. 15, 2019. In the meantime, there may be more work to be done.
As a reminder, beginning March 1, 2018, your CISO became obligated to report at least annually to the key stakeholders in your organization on the strengths, weaknesses, past performance and future objectives of your security program.
Unless you qualified for a limited exemption or are engaged in continuous monitoring, you also need to submit to annual penetration testing, in which security professionals actively test whether they can hack you by penetrating your organization’s security defenses.
Additionally, you must perform bi-annual vulnerability assessments and actively train all organization personnel on security awareness and best practices, similar to the harassment training many organizations already currently perform.
In addition, you are urged to mark your calendars — the final transitional compliance deadline is March 1, 2019, when covered entities like you must have in place a third party service provider security policy that addresses a risk assessment of third parties with access to your systems or data as well as a statement of the minimum cybersecurity practices you will require from them.
Understandably, the cyber rules are a lot of work, so if your organization needs assistance satisfying any of the requirements above, a cybersecurity/regulatory professional should be consulted.