March 1, 2018 marks the end of the one-year transition period for the New York Department of Financial Services (NYDFS) cybersecurity regulation. The passage of this date means affected organizations — including banks, insurance companies, and other financial services companies licensed by or operating in New York State — must be in compliance with a raft of security rules intended to protect non-public information from cyberattacks and data loss.
The landmark NYDFS rules (officially known as 23 NYCRR Part 500) go into effect on a rolling basis, to give covered entities time to upgrade their security policies and procedures to meet compliance. The initial set of compliance requirements focus on risk assessment and reporting, penetration testing, employee training and monitoring, and access management.
According to the NYDFS, covered entities must be in compliance with sections 500.04(b), 500.05, 500.09, 500.12, and 500.14(b), by March 1, 2018. Additional requirements will go into effect in September 2018, including requirements for securing internally developed and third-party applications.
Below we offer a summary of the NYDFS rules covered entities must comply with as of March 1, 2018.
Section 500.04: Chief Information Security Officer
The chief information security officer (CISO) for covered entities must give an annual report to the organization's board of directors, or a senior officer if no such governing body exists. The written report should cover the overall effectiveness of the cybersecurity program, material cybersecurity risks, and material cybersecurity events within the period covered by the report.
Section 500.05: Penetration Testing and Vulnerability Assessments
Covered entities must conduct monitoring and testing to assess the effiectiveness of their security. Security programs should include continuous monitoring for security events, as well as penetration tests and vulnerability assessments. Penetration testing should be conducted at least annually, based on the entity's risk assessment. Vulnerability assessments, conducted at least bi-annually, should include systematic scans or reviews to find publicly known vulnerabilities in the entity's information systems.
500.09: Risk Assessment
Covered entities must conduct period risk assessments to inform the design of the cybersecurity program. These risk assessments must consider the impacts of evolving technologies and emerging threats. Risk assessments must be conducted in accordance with written policies and procedures, which must address how risks will be mitigated or accepted, and how the entity will address the risks.
Section 500.12: Multi-Factor Authentication
Security controls, such as multi-factor authentication, must be in place to prevent unauthorized users from accessing non-public information and systems.
Section 500.14: Training and Monitoring
Covered entities must put in place policies and procedures for monitoring the activity of authorized users, and for detecting unauthorized access to non-public information and information systems. They must also provide periodic cybersecurity awareness training for employees.
Coming in September 2018: Application Security Requirements
Among the requirements for compliance going into effect in September 2018, covered entities must have policies and procedures in place for securing the software applications they develop or purchase. The regulation requires organizations to implement standards to ensure the use of secure coding best practices for internally developed applications, and procedures for assessing or testing third-party software used in the organization's IT environment.
How Veracode Can Help
You should check with your compliance and legal departments for complete information on how you may be required to comply. The following Veracode products and services may help you secure your internally developed and third-party software, as part of a complete cybersecurity program.
- Veracode's Application Security Platform can provide a secure audit trail of your compliance processes, including critical information such as application security scores; lists of all discovered flaws; and flaw status information (new, open, fixed, or re-opened). Summary data is also included for third-party assessments, including scores and top risk categories.
- Veracode Static Analysis can ensure that your applications are not vulnerable to attack through exploits such as SQL injection and cross-site scripting, preventing potential data loss, brand damage, and ransomware infections.
- Veracode Static Analysis can help meet the requirement (going into effect in March 2019) to encrypt non-public information, by assessing your applications’ cryptographic code for known vulnerabilities and ensuring encryption is implemented correctly.
- Veracode Software Composition Analysis analyzes your applications to create an inventory of third-party commercial and open source components, alerting your developers to the presence of components with known vulnerabilities. When a new component vulnerability is exposed, you can quickly identify if any of your applications are at risk.
- Veracode Manual Penetration Testing complements Veracode's automated scanning technologies with best-in-class penetration testing services.
To learn more about securing all the applications you develop or assemble from third-party code, and the applications you buy, download our guide forgetting started with an application security program.
Read our FAQ for more information about who is affected by the regulation, and read our new guide explaining how you might meet the compliance requirements: Navigating the New York Department of Financial Services Cybersecurity Regulations.