Risk management for NYDFS Cybersecurity Regulation compliance
The New York Department of Financial Services (NYDFS), responsible for regulating financial services and products within the state, has recently introduced Cybersecurity Regulation 23 NYCRR 500. It’s no surprise why. Data breaches keep happening, and organizations in the financial services supply chain hold and process incredibly sensitive information.
23 NYCRR 500 requires all organizations within the regulator’s domain conduct a risk assessment and then implement tools to match their cybersecurity risk profiles. What should go into an accurate risk assessment? What are the risks currently faced by financial services organizations and how can they be mitigated for compliance with 23 NYCRR 500?
The risk management approach
Instead of one set of rules for everyone, a key part of 23 NYCRR 500 is that each organization carries out a risk assessment, using the findings to build a bespoke cybersecurity risk profile (Section 500.09). They should then put in place a comprehensive cybersecurity program that recognizes and mitigates the identified risks.
What should be in this program? 23 NYCRR 500 lays out some focus areas:
- Appropriate IT security systems including data protection, encryption (500.15), access controls, penetration testing and vulnerability assessments (500.05).
- Access management enabling enhanced multi-factor authentication for all inbound connections to the internal network (500.12).
- Auditing to reconstruct material financial transactions, as well as detect and respond to cybersecurity events (500.06).
- Reporting and accountability to fulfil requirements to evaluate third-party services providers (500.11), complete an annual compliance certification (500.17(b)), document weaknesses and remediation plans, and notify the superintendent within 72 hours of a breach (500.17).
- Incident response plan to detect and respond to cybersecurity events, plus recover from each event and preserve data (500.16).
- Expertise and funding including designating a Chief Information Security Officer (CISO) responsible for overseeing the cybersecurity program and enforcing data security policy (500.04).
So these are the minimum standards for compliance with 23 NYCRR 500. It covers protecting data with encryption and being able to respond adequately to data breaches, as well as auditing and reporting obligations. But should organizations stop there? What other risks do they face that aren’t specifically covered in these points?
Modern risks need a modern approach
Encryption is useful, auditing is crucial. But also, think about human error. Difficult challenges emerge when people handle sensitive data: we all make mistakes, but you can’t take people out of the equation when thinking about data security. No matter what infrastructure people use now and in the future, the users aren’t going anywhere.
The Verizon Breach Investigations Report highlights this, showing that in the second most common breach pattern (Miscellaneous Errors), over half of these breaches were attributable to mis-delivery of information. So here’s the challenge for compliance: how to add human risks into risk profiles to avoid sharing sensitive content incorrectly, so that organizations can protect client data and their reputation while enabling partners rather than delaying them.
The Egress platform provides privacy and risk management services designed to manage and protect unstructured data in a seamless user experience. By leveraging machine learning-led policy management, encryption and discovery to enable end-users to share and collaborate securely, it helps maintain 23 NCYRR 500 compliance and reduce the risk of loss.
Mitigating the risks specified in a comprehensive risk assessment can become resource intensive and overly complex without the right tools in place. The Egress platform, a data-driven, user centric solution, can reduce human error and provide comprehensive auditing of unstructured data and communications activity. It’s the right step towards meeting the compliance requirements for the end of the eighteen-month transitional period.