NYDFS Part 500 Cybersecurity Regulation Lessons Learned

The 23 New York Codes, Rules and Regulation (NYCRR) 500 regulation from New York State Department of Financial Services (NYDFS), also well known as “NYDFS Part 500” is designed to promote the protection of Nonpublic Information (NPI) as well as systems of covered entities.

The NYDFS definition of NPI is the root of all the concerned institutions’ efforts to determine how they should implement required controls.

It is defined as follows:

“Nonpublic Information shall mean all electronic information that is not Publicly Available Information and is:

(1) Business-related information of a Covered Entity the tampering with which, or unauthorized disclosure, access or use of which, would cause a material adverse impact to the business, operations or security of the Covered Entity;

(2) Any information concerning an individual which because of name, number, personal mark, or other identifier can be used to identify such individual, in combination with any one or more of the following data elements: (i) social security number, (ii) drivers license number or non-driver identification card number, (iii) account number, credit or debit card number, (iv) any security code, access code or password that would permit access to an individual’s financial account, or (v) biometric records;

(3) Any information or data, except age or gender, in any form or medium created by or derived from a health care provider or an individual and that relates to (i) the past, present or future physical, mental or behavioral health or condition of any individual or a member of the individual's family, (ii) the provision of health care to any individual, or (iii) payment for the provision of health care to any individual." [1]

In summary, NYDFS Part 500 is mainly focused on protecting the following information:

• Material Nonpublic Information (MNPI)
• Personal Identifiable Information (PII)
• Personal Health Information (PHI)

At this date, all covered entities should comply with all the requirements of 23 NYCRR Part 500 except for §500.11 on Third Party Service Provider Security Policy which has a later compliance date.

However, there are reasons detailed below to believe this regulation will evolve to adjust to new cybercriminal approaches and cybersecurity controls.

The broad requirements of NYDFS Part 500 make it difficult for Financial Institutions (FI) to measure if the controls they implement ensure full compliance. The content of the regulations has generated a lot of interpretation, industry and peer consultation - such as the Institute of International Bankers (IIB) meeting periodically on this topic - and requests for legal input.

The revised approach of the cyclical cybersecurity assessment performed under Part 500 was often performed for the first time with the assistance of external experts, which helped institutions set the scope of work and address any initial challenges.

This risk assessment is the foundation of the Cybersecurity exercise. The regulation refers to highlighting weaknesses. Lack of control or issues uncovered during this assessment are addressed as part of the continuous improvement mandated by Part 500 and as a way to discuss where and how to set up compensating controls. In many Part 500 sections, the requirements are vague because they are dependent upon the company’s “Risk Assessment." As an example, for §500.12, the requirement is written as follows: "(a) Multi-Factor Authentication. Based on its Risk Assessment, each Covered Entity shall use effective controls, which may include Multi-Factor Authentication or Risk-Based Authentication, to protect against unauthorized access to Nonpublic Information or Information Systems. "

Additionally, challenges arise from the definition of data that needs to be protected under Part 500. NYDFS mentions several times the Materiality of data (in §500.06, §500.16, and §500.17) which may be difficult for the regulated entities to interpret.

Encryption of Nonpublic Information (§500.15) differentiates types of data to be encrypted:

1. Data in transit refers to any data in motion from one location to another through means such as emails, or private networks. This kind of data can be intercepted during transit by hackers or can be shared by someone from inside the organization;

2. Data at rest refers to static data stored on a hard drive, flash drive, server or archived/stored in some other way.

For covered entities, it remains the most complex requirement to implement correctly, especially with data in transit (e.g., emails). Encrypting all emails could lead to additional risks with people sharing decryption keys that cause disruption of “business as usual” operations by making exchanges of emails slower.

For most participants, this is not an acceptable solution. Hence, Financial Institutions are making the case as to the type of data in transit that should or should not be encrypted. Referring to the definition of NPI, some institutions are focusing on matching their internal data mapping with NYDFS requirements to encrypt only emails with PII, PHI or strategic information.

The Multi-Factor Authentication (MFA) definition is not clear, again leaving room for interpretation, by allowing firms to use “effective alternative compensating controls” that have been reviewed and approved by the Chief Information Security Officer (CISO). FIs are concerned since their understanding of the requirement may not be the same as the NYDFS’ which offers room for future regulatory findings/clarification.

MFA can also be a costly investment as it involves upgrading hardware to add for example fingerprint identification capabilities, switching to laptops, or introducing additional external verification such as soft tokens on phones.

Financial Institutions tend to prefer conservative cost approaches while complying with the minimum regulatory requirements. This approach may sound attractive at first but may infer cyclical upgrades as the regulator may further tighten security requirements over time.

Some inspiration can be taken from tech companies such as Google and its titan key, which allows for a physical MFA that is extremely difficult if not impossible to breach. Since it began requiring security keys as a second factor for employees, Google has not reported or confirmed account takeovers following phishing attacks.

Third-Party controls and remediation efforts are encompassed in the requirement that all existing contracts follow the new regulatory requirements. Can FIs wait for the renewal period of the contracts, so they do not have to perform a ‘big bang’ change? Also, agreements with major Third Parties are usually ironclad and nearly impossible to amend. Hence there will be a lot of risk acceptance involved. Will this be acceptable for the NYDFS?

These questions make it difficult for Financial Institutions to gauge how to comply with this last requirement before the end of the two-year transitional period in March 2019.

As stated earlier, NYDFS will probably refine its Part 500 requirements as it develops examination experience. For now, based on their risk assessment, FIs should establish acceptable risk mitigating solutions versus expensive investments to implement the most advanced and holistic solutions.

The regulation has also helped many Smaller Organizations/Foreign Banking Organizations to realize that they should be at a higher level of cybersecurity maturity regarding these topics. New functions have been created in FIs, such as IT Risk, Cybersecurity, or Information Security teams which often did not exist previously or were very small. We observed that many organizations relied on operational risk for these types of functions which should have been independent.

Due to the implications and impact related to the challenges mentioned above and other requirements that may lead to different interpretations, it is our view that FIs should review their risk assessments and conclusions with NYDFS Part 500 independent experts before certification.

For covered entities, complying with NYDFS Part 500 has been on the top of CISO agendas for the past two years. For the next two years, we have identified the following trends that are seen to top CISO priorities, with different maturity levels depending on the organization:

• Third and “Fourth” Party Risk - Requirements from NYDFS Part 500 have started to address third-party risk for cybersecurity, and to look at all industries. The National Institute of Standards and Technology (NIST), on April 16, 2018, published their new Cybersecurity Framework version 1.1 which has greatly expanded the section related to Supply Chain Risk. Third-party organizations are also relying on the use of independent experts or contractors (“fourth parties”), from which they also need to obtain insurance as risk as high as third parties may be introduced;
• Cyber Threat Intelligence: with the rise of zero-day exploits, companies need to have proper cyber threat intelligence programs to detect threats and be prepared to respond in a very short time;
• End and Specialized Users Security Training: Regular and general end-user awareness security training is no longer sufficient. As threats are more and more targeted with specific mechanisms, each area within a company needs to be aware of risks specific to their environment. Developers need to follow proper Secure Coding practices and standards. The IT engineers need to be mindful of system hardening and secured configuration best practices. Sensitive application operators (e.g., SWIFT) should be aware of specific threats that can be targeted to their activity such as advanced social engineering attacks;
• Incident Response Readiness - FIs need to have a robust cyber incident response plan,  tested on an annual basis to demonstrate readiness to respond to cyber incidents;
• Use of Artificial Intelligence (AI) to detect advanced threats - companies are trending toward more use of Artificial Intelligence and Machine Learning to identify advanced threat patterns. As an example, an algorithm may recognize suspicious behavior or activity patterns that may lead to an actual incident, and prevent it from happening.

CISOs and security professionals also gather information and best practices by attending cybersecurity-related events and conferences. The number of attendees is increasing each year; for example in 2018, 25,000+ persons participated in the BlackHat and DefCon events in Las Vegas. Each year new threats and security flaws in systems are shown including a growing number of advanced attacks/threats that use Big Data and AI to break security controls.