While it may not yet have made a big splash outside of the state of New York or outside of financial circles, last week, the New York Department of Financial Services did something very interesting: it proposed a new law outlining specific information security and third-party risk management (TPRM) requirements for financial institutions under its control.
Many of the readers of this blog are neither based in New York, nor work for financial service companies that would be directly affected by this law, so many of you might be asking the question, “So what?”
There are several reasons why this law may be much more meaningful than is obvious at first glance. We at Pivot Point Security think this law might be a “big thing.” I’ll explain why this law might very well matter to you, and then discuss what the law actually requires.
Since I write often about TPRM issues, the first reason I think this law is important because your company almost certainly is a “third party” to somebody else. This law expressly extends certain requirements to banks. Secondly, we think that this law is only the beginning. In 2002, California became the first state in the US to pass a law about data breaches and data breach notification. Today, virtually every state in the US has laws covering these issues. We fully expect many other states (both legislatures and regulatory agencies) to pass similar cybersecurity laws in the next few years. If the New York law doesn’t affect you now, there’s a very good chance that a similar law will affect you soon.
Thirdly, this law is, in some cases, very explicit about certain security requirements. It is different from many other frameworks that have general requirements, but leave specific implementations or interpretations to the end user. For example, the New York law expressly calls for users who have privileged access to sensitive information to use multi-factor authentication (for example, requiring both a password (something you know) and a code that gets sent to your phone (something you possess) before granting you access. Just as we saw with data breach notification laws that became very explicit and directive in some cases, we expect to see more specific requirements that must be met from these laws.
So even if this law does not directly apply to you right now, it might be useful to understand what is in it. The law, summarized here, has several interesting elements:
The establishment of a cybersecurity program. This requirements seems to be more about IT risk management and identification (ISO 27001, anyone?) than specific technical requirements. It identifies five core elements that have to be present in your cybersecurity program:
1. Identification of cyber risks
2. Implementation of policies and procedures to help prevent attacks
3. Detecting of cybersecurity events
4. Responsiveness to detected events
5. Defined processes to return to normal operations
The adoption of a cybersecurity policy. This requirement mandates written and detailed policies and procedures that expressly address numerous key requirements, including information security, capacity planning, data governance and classification, network monitoring, incident response and customer data privacy, among others. From the wording in the law, it looks like generic policies and procedures will not suffice. Policies must be real, tailored to your environment, and enforced.
Companies are required to appoint a qualified Chief Information Security officer (CISO). Companies will now be required to have senior-level information security expertise on their management teams. While this may seem very daunting to some small and midsized companies, there are good options here. For example, Pivot Point Security has recently opened a practice area in “Virtual CISO” (vCISO) that will allow smaller companies to have the experience and authority of a qualified CISO, without having to bear the full expense. This or similar options might be a very good route for companies needing such expertise quickly, or on a clearly defined budget.
The establishment of a Third Party Risk Management (TPRM) program. This requirement mandates that companies establish a TPRM program to ensure that their suppliers (and presumably other third parties) meet these requirements as well. Taking a line from the Office of the Comptroller of the Currency (OCC) that outlined this philosophy in their document OCC 2013-29, it appears that the New York regulators agree that you can outsource a function, but you can’t outsource responsibility for that function. If somebody else does something for you, you’re still responsible—just as if you had done it yourself.
The new law expressly requires that your TPRM program:
1. Identify and risk-assess risks in your third parties,
2. Establish minimum security requirements that your suppliers must meet,
3. Define and practice due diligence activities to validate that your suppliers are protecting your data effectively, and
4. At least annually assess your third parties for their compliance with your standards and information security in general.
These requirements are actually quite reasonable and consistent with best practices for TPRM; for example, as outlined in the above-mentioned OCC 2013-29. One that may cause some problems, however, is the requirement that your supplier be assessed annually. Many TPRM programs operate on cycles of two, three and even five years. Assessing your suppliers annually may take some reconfiguration and redesign of your existing program and assessment methodology.
There are other requirements as well (e.g., annual penetration tests and cybersecurity training for all users). I urge you to take a look at the law itself. Hopefully what’s discussed above is enough to get you thinking about some of the implications that this law and other similar laws might have for your business.
Pivot Point Security has extensive expertise in all of the areas of this new law. If you have any questions about the law, or how we might be able to help you, we’d love to hear from you.