NYDFS Cybersecurity Requirements Are Now Fully Mandatory – Are You Ready?

New York’s reputation as the “financial capital of the world” is legendary. The New York State Department of Financial Services (NYDFS) regulates approximately 1,500 financial institutions and banks, as well as over 1,400 insurance companies, and the overwhelming majority of financial institutions conducting business in the U.S. fall under NYDFS regulation – including international organizations operating in New York.

The NYDFS Cybersecurity Requirements for Financial Services Companies (23 NYCRR 500), first enacted in 2017, are now fully in place, and all banks and financial services companies operating in the state must secure their assets and customer accounts against cyberattacks in compliance with its mandates.

The regulation requires financial institutions to implement specific policies and procedures to better protect user data and to implement effective third-party risk management programs with specific requirements – both digital and physical.

While the financial sector has long been ahead of other sectors in terms of data protections, the regulation is nonetheless helping to address glaring shortcomings in data security by requiring specific reporting procedures, cybersecurity policies, the designation of a Chief Information Security Officer (CISO), incident response and notification requirements, penetration testing, security awareness training and board-level communication.

Among the regulation’s mandates is the use of multifactor authentication “to protect against unauthorized access to Nonpublic Information or Information Systems” – with nonpublic information being the individual’s private information.

By not mandating a specific technology solution, the regulation helps allow financial institutions to continue to deploy the latest and most advanced solutions to protect data and assets. From an authentication standpoint, financial institutions can continue to deploy user-friendly, secure, frictionless solutions such as adaptive authentication to meet the multifactor authentication requirements that are mandated for all individuals with certain access levels.

Section 500.12 – Multifactor Authentication (MFA)

• Based on the risk assessment, each organization must use effective controls, which can include risk-based authentication or multifactor authentication, in an effort to protect nonpublic information or information systems from unauthorized access.
• MFA must be used for any individual accessing the organization’s internal networks from an external network (the only exception is if the organization’s CISO has given written approval for the use of equivalent or more secure access controls).

This is a necessary step-up in security posture, because as reported in Verizon’s 2017 Date Breach Investigations Report, “81 percent of hacking-related breaches leverage stolen and/or weak passwords.” With that in mind, there is a strong likelihood that if multifactor authentication was mandated, it may have prevented or sharply reduced the impacts of many of the data breaches we’ve seen over the last few years.

The last of the four phases of implementation has just come into effect, marking the end of the two-year transition period. It specifies that “the organization must document written procedures and policies to ensure third-party risk management programs protect information systems and nonpublic information.” Among the Phase 4 key provisions and requirements for the financial services provider’s own systems and processes are:

• Written policies and procedures designed to protect users from risks posed by third-party service providers;
• The identification and risk assessment of third-party service providers;
• Minimum cybersecurity practices required of third parties;
• The evaluation of third-party cybersecurity practices through due diligence; and
• Periodic risk-based assessments.

There are also policies and procedures for third-party service providers, including guidelines for due diligence and contractual protections, addressing:

• Access controls, including multifactor authentication;
• Encryption;
• Notifications to be provided to the primary organization in response to a cybersecurity event; and
• Representations and warranties for a third party’s cybersecurity policies and procedures.

Though Phase 4 must be implemented this year, there is one final deadline still looming: Banks and financial institutions are not required to certify their compliance with the regulation’s third-party service provider risk management provisions until February 15, 2020.