The New York State Department of Financial Services (NYDFS) 23 NYCRR 500 Cybersecurity Requirements for Financial Services Companies is a relatively comprehensive new regulation intended to ensure the security of “Non-Public Information” (largely personally identifiable information). This is an effort to combat recent rises in cyber crime, high-profile data breaches and other “hacking” crimes. We have recently spent a lot of time on the phone with concerned individuals at small to mid-sized financial service and insurance companies, trying to put together a plan to help them deal with NYCRR 500.
If you are reading this blog post, there is a pretty fair chance you face a similar challenge. The best place to start is to grab an official copy of the NYDFS cybersecurity regulation, jump to section 500.19, and cross your fingers. Section 500.19 outlines exclusions. If yours is a smaller organization (less than 10 employees, less than $5 million in annual revenues in New York State, or less than $10 million in total assets) you are exempted from a good portion of the requirements (500.04, 500.05, 500.06, 500.08, 500.10, 500.12, 500.14, 500.15, and 500.166).
If your business is large/unlucky enough that you need to conform with the whole standard, you’re going to need to make a plan.
Making a Project Plan for NYDFS Cybersecurity Regulation Compliance
A simple project plan for complying with the new NYDFS cybersecurity regulation looks like this:
- Review 500.04 and formally appoint a CISO with the responsibilities and accountabilities required to put the NYDFS security program in place.
- Conduct a Risk Assessment, which is required by Section 500.09. If you do not yet have a formal, documented assessment methodology, you will need to develop one. Personally, I prefer an information/process-centric approach over an asset-based approach as it’s more intuitive—but either will suffice.
- In order to conduct the Risk Assessment in Step 2, you likely need to conduct a scoping exercise prior. The focus of the scoping exercise is to inform and boundary the assessment. The scope will logically be centered on the “Non-Public Information” that NYCRR 500 is intended to address. Scoping identifies the information, assets (people, systems, networks), locations, third parties, interested parties, contractual obligations, interfaces, dependencies, and legal/regulatory requirements that contribute to risk and your risk mitigation strategies.
- Build a Risk Treatment plan from the Risk Assessment, ensuring that the treatments conform with any prescriptive NYCRR 500 guidance. The assessment informs many of the requirements. For example, 500.15 Encryption of Non-Public Information provides some latitude with respect to the approach, assuming that the risk is low.
- Document your controls that address Sections 500.02 (Cybersecurity Program), 500.03 (Cybersecurity Policy), 500.07 (Access Privileges), 500.10 (Cybersecurity Personnel and Intelligence), and 500.16 (Incident Response Plan) to meet the October 1, 2017 deadline.
- Document/implement/operationalize the remaining controls per your Risk Treatment plan, taking a risk-prioritized and compliance deadlines-informed approach. I would favor risk mitigation over compliance schedules where possible.
The bad news is NYCRR 500 is going to be a lot of work for a lot of organizations. The good news is it is a fundamentally sound regulation that aligns well with good information security practices like ISO 27001, NIST/FISMA, etc. If well implemented, it will notably reduce your risk of data breaches and other common information security traumas. (Read my colleague Chris Dorr’s post on why we think this law might be a “big thing” for more info.)