The Hits Keep Coming: More Transitional Cybersecurity Requirements in New York

October 10, 2018 by

It has been more than a year and a half since the New York Department of Financial Services cybersecurity regulations (cyber rules) came into effect, and yet another compliance deadline has passed.

Broadly, “covered entities,” which means you if you are an insurer, individual broker, agent or adjuster licensed by or registered with the NYDFS, were required to have implemented audit trails so security incidents can be detected and responded to quickly and material financial transactions can be reconstructed in the event that electronic data is modified or erased (for example, if ransomware encrypts all of the files on your server and you are unable to retrieve them).

In addition, the cyber rules require you to have written and implemented policies for, among other things, the retention and disposal of nonpublic information. Likewise, your business should have implemented encryption or other commensurate controls to protect the confidentiality and integrity of data in transit and at rest.

Indeed, all of the foregoing should have been completed by September 3rd so that you can file next year’s certification of compliance with the superintendent of Financial Services no later than February 15, 2019. In case you are unsure if your efforts this year have complied with the new cybersecurity regulations, here is a more detailed description of your most recent obligations as they are set forth in the Cyber Rules:

Based on its risk assessment, each covered entity shall securely maintain systems that, to the extent applicable:

  • are designed to reconstruct material financial transactions sufficient to support normal operations and obligations of the covered entity; and
  • include audit trails designed to detect and respond to cybersecurity events that have a reasonable likelihood of materially harming any material part of the normal operations of the covered entity.

Breaking this down, the first requirement focuses on your ability to recover data whose integrity/validity has been affected, such as in the case of ransomware or data modification attacks. For example, if your billing records are deleted or encrypted by an attacker so that you have no way of knowing which clients had paid and when, you would need to have a backup of those systems so that you could reconstruct that data.

The second requirement is focused on your ability to identify and track potential attacks on your networks, regardless of whether data is modified. This could involve maintaining system or firewall logs, monitoring unsuccessful login attempts, account logins during odd hours or from unusual time zones, or other indicators that may suggest your system has been compromised. Many networks have the capability of generating these records, so you will want to make sure that you have a system in place to monitor and review them as appropriate.

Each covered entity’s cybersecurity program shall include written procedures, guidelines and standards designed to ensure the use of secure development practices for in-house developed applications utilized by the covered entity, and procedures for evaluating, assessing or testing the security of externally developed applications utilized by the covered entity within the context of the covered entity’s technology environment. These procedures, guidelines and standards shall be periodically reviewed, assessed and updated as necessary by the CISO (chief information security officer) or a qualified designee of the covered entity.

If you are developing your own software products, whether internally or through an independent developer, this requirement focuses on your ability to incorporate secure development practices. This involves factoring in security throughout the entire data life-cycle, from the moment it is collected, through processing, storage, and ultimately, data destruction, dictated in part by your data retention policy – you have one of those, right?

Speaking of which, each covered entity shall include policies and procedures for the secure disposal on a periodic basis of any non-public information that is no longer necessary for business operations or for other legitimate business purposes of the covered entity, except where such information is otherwise required to be retained by law or regulation, or where targeted disposal is not reasonably feasible due to the manner in which the information is maintained. Data retention has also become a hot topic under the EU’s General Data Protection Regulation, which became enforceable on May 25, 2018.

Each covered entity shall implement risk-based policies, procedures and controls designed to monitor the activity of authorized users and detect unauthorized access or use of, or tampering with, nonpublic information by such authorized users. In other words, you should have systems in place that can monitor user activity (for example, data loss prevention, or DLP, and intrusion detection/prevention systems, or IDS/IPS), designed to trigger alerts if either an unauthorized user accesses your systems or an authorized user starts accessing nonpublic information they shouldn’t be. This regulation focuses on the risk of insider threats, an issue too often overlooked when organizations focus on security primarily at their network borders.

Based on its risk assessment, each covered entity shall implement controls, including encryption, to protect nonpublic information held or transmitted by the covered entity both in transit over external networks and at rest. To the extent a covered entity determines that encryption of nonpublic information in transit over external networks is infeasible, the covered entity may instead secure such nonpublic information using effective alternative compensating controls reviewed and approved by the covered entity’s CISO.

So does this mean you need to encrypt all of your data? Not necessarily. There are many benefits to encryption – for example, exfiltrated data encrypted with a strong encryption standard without an encryption key is essentially a blob of useless data that will take more effort to crack than it is worth. However, the cyber rules acknowledge that encryption may not be the most appropriate control in all cases and leave the door open for compensating controls. This does not mean that encryption is optional, but if you have another control to protect the data that is commensurate with encryption, that could potentially be an acceptable alternative control.

Again, your certification of compliance is due to the superintendent by February 15, 2019. In the meantime, there may be more work to be done.

As a reminder, beginning March 1, 2018, your CISO became obligated to report at least annually to the key stakeholders in your organization on the strengths, weaknesses, past performance and future objectives of your security program. And unless you qualified for a limited exemption or are engaged in continuous monitoring, you also need to submit to annual penetration testing, in which security professionals actively test whether they can hack you by penetrating your organization’s security defenses.

Additionally, you must perform bi-annual vulnerability assessments and actively train all organization personnel on security awareness and best practices, similar to the harassment training many organizations already currently perform.

In addition, you are urged to mark your calendars – the final transitional compliance deadline is March 1, 2019, when covered entities like you must have in place a third party service provider security policy that address a risk assessment of third parties with access to your systems or data, as well as a statement of the minimum cybersecurity practices you will require from them.

Understandably, the cyber rules are a lot of work, so if your organization needs assistance satisfying any of the requirements above, a cybersecurity/regulatory professional should be consulted.