In March 2017, the first iteration of The New York Department of Financial Services (NYDFS) Cybersecurity Requirements for Financial Services Companies (23 NYCRR 500) came into effect.These requirements set out the minimum cybersecurity program standards that licensed institutions must meet to protect customer information and their IT systems. NYDFS recently released the second proposed amendment to 23 NYCRR 500, which flew under the radar for many.
“With cyber-attacks on the rise, it is critical that our regulation keeps pace with new threats and technology purpose-built to steal data or inflict harm,” said NYDFS Superintendent Adrienne A. Harris, announcing the proposed changes on November 9th.
“Cyber criminals go after all types of companies, big and small, across industries, which is why all of our regulated entities must comply with these standards – whether a bank, virtual currency company, or a health insurance company.”
The draft came out on July 29, however we find ourselves in a comment period until January 9th, 2023, where feedback is permitted. We’ll review these changes, summarize them, and consider the implications and next steps for covered entities, especially those utilizing the public cloud.
All in all, “New York is raising the bar for corporate cyber governance in a big way,” remarked Equifax CISO, Jamil Farshchi on LinkedIn.
With that, let’s review what the proposed amendments address:
Amendments can be split into six main categories: Obligations for larger companies, governance, risk assessment, technical requirements, notification obligations, and penalties.
Obligations for larger companies: Large companies, noted as “Class A” companies, are organizations with over 2,000 employees or $1b in gross annual revenue over the past two years. These Class A companies are now subject to several obligations, including: audits, vulnerability assessments, monitoring, and password controls.
Governance: The original 23 NYCRR 500 held some obligations including reporting to the board, written policies with Senior Officer approval, a mandatory CISO, and others. This new amendment furthers these obligations to add: enforcement of adequate CISO independence; Annual reporting to the board on plans for remediating cybersecurity issues and inadequacies; Board members must have sufficient expertise and knowledge (themselves or have access to advisees with such); Cybersecurity policy approvals must come through the board, as opposed to senior management; Annual certification of compliance signed by the CEO, but the amendment allows for acknowledgement of an incomplete or inadequate compliance status, along with specific deficiencies and remediation plans. Finally, the amendments strengthen the requirements for Business Disaster Recovery Plans including essential data designation, communication preparation, and back-up facilities.
The NYDFS regards governance as a central and critical aspect of good cybersecurity.
Risk Assessment: Changes to risk assessment mandates include a change to the definition of ‘risk assessment’ to be more tailored and specific to the organization. Specificities refer to size, staffing, governance, business, services, products, customers, vendors, etc. – anything relevant to the organization at hand; Additionally, the amendments propose risk assessments be updated annually and that an assessment be conducted any time there is significant business or technology change; Finally, Class A companies are required to use an external expert to conduct their assessment every three years.
Technology: Requirements include a complete asset inventory that tracks owner, location, classification, sensitivity, expiration date, recovery time requirements, and more for all hardware, operating systems, apps, infrastructure, APIs and cloud services.
Additionally, the amendment draft proposed stronger access controls, and focuses strongly on monitoring and control of privileged accounts. This includes requiring adherence to the principle of least privilege – user access privileges should be limited to only the necessary permissions to complete the user’s job function. Periodic reviews (at a minimum annually) of all user access must be conducted, with access being disabled or terminated where it is not required. This change will require covered entities to have robust policies and procedures in place to continuously understand who and what can access nonpublic information – not an easy task. It also mandates the use of a privileged access management solution and automated blocking of commonly used passwords.
One thing to note is that adherence to these technology regulations, especially the asset inventory and privileged account monitoring and control components, will take time to implement well, and organizations should begin the compliance process early.
Notifications: New notification obligations include a requirement to notify NYDFS within 72 hours of any unauthorized access to privileged accounts or ransomware deployment. Additionally, a 24-hour notification requirement for any extortion payment, along with a 30-day reporting period explaining why payment was necessary and that due diligence was conducted.
Penalties: The Draft Amendments clarify two aspects regarding penalty; First, that any failure to satisfy an obligation constitutes a violation, including failure to comply with any 24-hour period policy. Second, the Draft outlines a few mitigating factors that can be considered when assessing penalties including, cooperation, good faith, intentionality, history, harm to customers, etc.
Tips for Meeting Updated Regulations in the Public Cloud
The amended regulations mandate a variety of uplifted security controls. While compliance with these changes may not cause too much head-scratching from an on-premises perspective for mature financial services firms, what about when nonpublic information is being stored in the public cloud? The cloud represents a paradigm shift from a security management standpoint, and traditional solutions and programs may struggle to map and comply with these changes in the public cloud. Security leaders should understand what’s required, and adjust their plans, operating models, capabilities and budgets accordingly.
Compliance & Vulnerability Management
Cloud Security Posture Management (CSPM) tools offer you an ‘always on’ look into your resources and configurations, but these platforms can also be used to manage and demonstrate compliance. Traditional CSPM platforms gather a baseline picture of the configuration and security of your cloud environment, and benchmark this against regulatory and compliance standards to find deviations. This gives an overall picture of the risk associated with your cloud environment, and helps detect gaps in your posture against compliance standards.”Next generation” CSPM tools broaden this capability set to include management and control of identities and the data they’re able to access in the cloud, proactive guardrails and policy enforcement, and vulnerability management for your cloud resources.
Leverage a cloud security platform with both pre-built compliance frameworks and recommended policies, and customizable ones to meet your changing business and regulatory needs. While 23 NYCRR 500 provides a minimum acceptable standard for licensed institutions’ cybersecurity programs, many financial services firms have very mature programs that go far beyond this baseline. Some of Sonrai’s customers have built their own cloud security frameworks, with hundreds of custom controls and proactively enforced, automated guardrails. These allow their security teams to provide assurance to the business that they are adequately managing the risk of using the public cloud. At the same time, they can scale the reach of the security team, increase the speed at which they can innovate, and reduce friction on their development teams.
Banner for https://sonraisecurity.com/customer-success/case-study-canadian-bank/
This is a capability we want to call special attention to. Exhaustive asset inventory is core to Sonrai Security’s platform. You can only protect what you can see in your cloud. Every organization needs an inventory of all their identities and all data. A proper inventory of data and assets then allows your organization to classify and tag all data, and differentiate by sensitivity and criticality so you can prioritize protecting your crown jewels. In Sonrai’s platform, you can group different environments, projects, or teams into their own ‘swimlanes’, each with individual maturity models and security goals – this tailoring is informed by context like data classification and identity entitlements.
Identity Management & Privileged Accounts
Cloud Identity & Entitlement Management (CIEM) solutions offer the ability for organizations to inventory and control the privileges for all of the identities in their cloud environments. While some CIEM solutions focus on “direct” permissions (i.e. those permissions directly attached to identities or resources in the cloud), these only tell half the story. With 37,000+ permissions across AWS, Azure, GCP and Oracle Cloud, it’s critical to model all of the relationships between these permissions to understand all of the potential paths leading to sensitive data. An identity can use multiple different capabilities to create a path to data or change its initial privileges. Assuming a role, they can use the role’s privilege escalation capabilities to access a new right to change privileges, and then from there change the permissions of their original group.
While cloud or IAM providers show discrete permissions, and even certain excessive permissions, Sonrai monitors and reveals effective permissions, which account for multiple complex lateral movements. Sonrai’s log inspection and API monitoring provides our clients with a full inventory of identities and a record of all recent activity, including privileged access activity as covered in the proposed amendments. This allows them to immediately identify excessive or unused permissions, reach least privilege across their cloud environments, and detect anomalies before they turn into critical risks.
These Drafted Amendments do an excellent job in raising the bar for New York cyber governance. They help instill a culture of organization-wide involvement in achieving proper governance and compliance. The new regulations should help ensure board members are informed and involved, as well as senior leaders like the CEO. Security and compliance can no longer live under the umbrella of the CISO alone. These amendments can help catalyze a cultural shift, which should benefit both consumers and covered entities in the long term.