Cybersecurity is important for companies in all industries, however it's extremely critical for the financial sector. The state government of New York has provided assistance by adding additional security measures for the financial industry. In 2017, the New York Department of Financial Services (NYDFS) published cybersecurity requirements for financial services companies, referred to by the official name of 23 NYCRR 500. The end of the transition period was March 1, 2019 where all requirements are now in effect.
Ongoing NYDFS 500 Compliance Outlook
Most financial services companies in New York are compliant for phase one of NYDFS, which includes planning and implementation. Operationalizing the plans over the long term will remain an ongoing struggle as organizations obtain and audit NYDFS compliance. In addition, due to the ever-changing cybersecurity landscape, all financial services companies across the globe should incorporate NYDFS regulations into their plan to increase their cybersecurity program.
The NYDFS regulation requires both a clearly defined cybersecurity program (500.02) and a cybersecurity policy (500.03). Although these may appear to be synonymous, there is a big difference between the two. A program is a specific set of instructions for implementing a process to achieve a goal. A policy is a higher level definition of the concepts needed. In essence, think of setting high level policy concerns about cybersecurity and then creating a program that achieves those policy goals for the short term.
In addition to the typical financial services businesses (banks, insurance, mortgage, etc.), Health Maintenance Organizations (HMOs) and continuing care retirement communities (CCRCs) are also regulated by NYDFS.
A policy document stresses the integrated nature of cybersecurity that impacts many areas of a corporation’s business. Section 500.03 lists fourteen different areas including:
- Information Security: Management direction and support for the implementation and operation of information security in accordance with business requirements.
- Data Governance and Classification: Identifying, classifying and protecting information in terms of legal requirements, value, criticality and sensitivity to unauthorized disclosure or modification.
- Asset Inventory and Device Management: Identifying organizational assets and how they are deployed, used, managed, maintained and secured within your business environment.
- Access Controls and Identity Management: Limiting access to information and facilities, to ensure authorized user access and to prevent unauthorized access, and to establish processes within the identity management lifecycle.
- Business Continuity and Disaster Record Planning and Resources: The planning, implementing and maintaining of a plan to protect against, prepare for and recover from disruptive incidents when they arise.
- Customer Data Privacy: Privacy and protection practices of personally identifiable information such as the type of information collected and its sensitivity, how the data is used and how long it is kept, who has access to the data and the implementation of security methods to safeguard the data, as well as monitoring and communication of unauthorized disclosures.
You may be wondering, how are IT professionals in a financial company going to take the details of the NYDFS policy and improve their cybersecurity? Luckily, there are more detailed standards to leverage.
Operationalizing NYDFS 500 Using Existing Standards
It is very simple to create a cybersecurity plan, however it is not as simple to implement the plan and maintain it over the long term. To take the program and turn it into a living, operational cybersecurity system, much more detail is needed than is provided in NYDFS 500. Training, monitoring, and reporting for internal audits are three important aspects of the ongoing cybersecurity program.
While the NYDFS 500 is aimed at the financial services industry, much of the required policy and program planning is covered by additional organizations with more comprehensive standards. ISO provides the ISO 27001 and NIST has both the Cybersecurity Framework and NIST 800-53.
ISO 27001 and NIST will help with additional policy decisions, however they are exceptionally detailed when you get to the point of planning programs to implement the policies. They will help in the detailed process of a systems management plan and providing security at the network, hardware, and software levels. In addition, the details in the standards will help organizations plan how to mitigate non-technical risks, how to test the systems, and how to create reporting policies to keep management informed of the effectiveness of cybersecurity policies and programs.
Finding A Sustainable Solution
Cybersecurity is a threat to businesses and robust actions should be taken to address any and all cybersecurity threats. While increasing cybersecurity protocols might create apprehension, there are simple solutions available to relieve you apprehension. Apptega helps companies translate these complex cybersecurity frameworks into a workable plan and protect themselves in today’s interconnected world. The Apptega platform can help you organize different requirements and build your organizations plan. Whether you are looking to follow NYDFS or a blended combination of NYDFS, ISO 27001, and NIST, Apptega can help you fine tune the correct standards for your business.
For more information on how you can accelerate your NYDFS 500, ISO 27001 or NIST goals, please contact us today!