Diving into the NYS DFS Cybersecurity RegulationThe regulation specifies: (a) Each Covered Entity shall securely maintain systems that, to the extent applicable and based on its Risk Assessment:
(1) are designed to reconstruct material financial transactions sufficient to support normal operations and obligations of the Covered Entity; and
(2) include audit trails designed to detect and respond to Cybersecurity Events that have a reasonable likelihood of materially harming any material part of the normal operations of the Covered Entity.(b) Each Covered Entity shall maintain records required by section 500.06(a)(1) of this Part for not fewer than five years and shall maintain records required by section 500.06(a)(2) of this Part for not fewer than three years. I am certain that most financial institutions can recreate financial transactions (as required in item 1); however, item 2 is somewhat mysterious. Does it mean that all server logs are to be kept for three years? If so, exactly which logs? The problem is that no one really knows. For anyone operating under this regulation, the interpretation of “audit trail to detect and respond to Cybersecurity Events” can mean different things to different organizations. Just as we infosec folks have always stated that security is not a “one-size-fits-all” proposition, we now have to wonder: which size will satisfy the NYS DFS regulation? Without specific guidance on what the regulation considers an adequate detection and responding mechanism, all financial institutions must put in place systems that they believe are adequate. Few things define the fallacy of “begging the question” better than this. As an admittedly failed law student, I recall the examples in legal process class whereby a student is asked to write a law and then is shown all the points where the law is either unjust or blatantly lacking simply by the words that are used. Writing a regulation is not an easy task. I would only hope that the regulators exercise broad discretion when evaluating the myriad protections they will see when evaluating this aspect of the regulation. The final milestone in the regulation due on September 1, 2019 is to ensure that all third-party service providers adhere to the cybersecurity requirements of the host organization. While this task is not technical in nature, it will also prove to be monumental. Now is the best time to begin taking inventory of all the third party service providers who have access to personally identifiable information in your organization. As I have mentioned in a previous post, this regulation is sure to be copied by other States, so even if your business does not have any dealings in New York, this style of regulation is sure to come to your State soon. Now would be a good time to examine this regulation in advance of it heading your way so you are not caught off guard. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.