Bringing NYDFS Compliance into Focus

New Regulations Bring New Challenges

The New York Dept. of Financial Services (DFS) Cybersecurity Requirements force companies to look into ways to prepare and tactics to navigate new regulations. This risk-driven regulation which requires financial services institutions, regulated by (DFS) to establish and maintain a cybersecurity program that will protect both customers’ private data and the technology that supports it.

The New York State Department of Financial Services (NYDFS) has recently enacted a new cybersecurity regulation aimed at protecting financial services organizations and their data. The new regulation known as 23 NYCRR 500 went into effect earlier in the year, but the 180-day transition period ended on August 28, meaning organizations now need to be officially in compliance. More deadlines are approaching in 2018 for other sections of the 500. Of course, CISOs at financial services firms are no strangers to regulation with having to comply with the established control frameworks: NIST, COBIT, SSAE and specific regulations such as PCI-DSS and SEC OCIE to name a few.

However, the NYDFS requirements could become challenging for few reasons. First, the reach is significant. While it is a state regulation, it will naturally apply to companies that do business in New York including businesses headquartered outside the state as well as international companies. Additionally, the regulation requires organizations to assure that the third-party organizations that they do business with are secure as well.

In addition to its official reach, NYDFS is both forward-looking and specific in terms of the section. The regulation establishes a risk-based approach to a variety of security controls and even specifies instances where multifactor authentication is needed.

Let’s look at some of the particulars:

Continuous Monitoring

The NYDFS is very specific in terms of how organizations will need to identify risk. Two choices: 1. Establish continuous monitoring for internal and external threats or  2. Submit to a regular schedule of penetration testing and vulnerability testing. By adopting continuous monitoring, organizations can simplify their compliance process and remove the need to document pen tests and vulnerability testing.

There are security solutions which offer simple, low-friction methods to establish continuous, real-time monitoring in an environment. And while regular pen testing is always a good idea, anything that makes documenting compliance easier is always a good thing. But more importantly, implementing a solution that provides visibility and control along with continuous monitoring will make it easier for organizations to meet other NYDFS requirements as well.

User and Device Control

The NYDFS also requires organizations to monitor and control the entities in their environment. This includes device-centric requirements to perform asset inventory and device management as well as more user-centric requirements for access controls and identity management.

In this instance, it is imperative to automatically keep track of users, service accounts and all additional related devices.  Simply being able to document up-to-the-minute visibility of these entities can be very powerful during an audit. While this would monitor users, accounts and devices, it would also make it easy to set policies to control access based on any number of factors including the user role, risk or type of device in use. This combination of visibility and auditable policy enforcement puts organizations on very solid ground when it comes to documenting compliance.

Context Based on Risk

The NYDFS requirements repeatedly call for organizations to identify and manage risk in the environment. Specifically, the need to establish “risk-based policies, procedures and controls designed to monitor the activity of Authorized Users and detect unauthorized access or use of, or tampering with, Nonpublic Information…”

Additionally, the regulation requires risk-based authentication controls and has very pointed requirements for the use of multifactor authentication. Risk-based authentication is defined as a system that “detects anomalies or changes in the normal use patterns of a Person and requires additional verification of the Person’s identity when such deviations or changes are detected.” The document even calls out the need to trigger multifactor authentication for any connections to internal assets from an outside network.

No security product is a silver bullet for regulatory issues, but thanks to a few, it’s easier to keep up with the NYDFS. For example, it’s entirely possible to have all entities in the network constantly monitored and scored based on their observed risk.  Risk could be recognized based on environmental factors such as the use of a weak password, use of an unmanaged device, or a connection from an outside network. Having a solution that learns the behavior of every entity allows the ability to recognize and raise the risk in response to abnormal behavior. Any of these actions or the composite risk score can be used to drive a policy-based response such as a multifactor authentication challenge or an outright block.

Review the NYDFS closely and consider the extent of its guidelines for continuous monitoring, user and device control and context based risk.  Aligning with the core concepts in the NYDFS regulation will help to reduce your risks, align your security and avoid steep penalties for violations.