The landmark NYS DFS cybersecurity regulation that took effect in New York State in March 2017 is approaching its third of four milestones. This was the first regulation of its kind that included prescriptive direction for the protection of personally identifiable information handled by all financial institutions that conduct business in the State.
The previous milestones included Policy creation, such as having a cybersecurity program, and an incident response plan. Within the second milestone specifically, there were some more technical items, including multi-factor authentication for remote access as well as penetration testing.
The next set of milestones are set to take effect on September 1, and they are amongst the toughest from a technical standpoint. They include data encryption (in transit and at rest), five-year audit trails and limitations on data security.
Take a moment to digest those objectives. They are not easily accomplished tasks, and many companies that have not been previously required to achieve these levels of compliance are understandably struggling to meet this deadline. The biggest problem with the requirements are that they are not very specific, particularly the audit trail requirement.
Diving into the NYS DFS Cybersecurity Regulation
The regulation specifies:
(a) Each Covered Entity shall securely maintain systems that, to the extent applicable and based on its Risk Assessment:
(1) are designed to reconstruct material financial transactions sufficient to support normal operations and obligations of the Covered Entity; and
(2) include audit trails designed to detect and respond to Cybersecurity Events that have a reasonable likelihood of materially harming any material part of the normal operations of the Covered Entity.
(b) Each Covered Entity shall maintain records required by section 500.06(a)(1) of this Part for not fewer than five years and shall maintain records required by section 500.06(a)(2) of this Part for not fewer than three years.
I am certain that most financial institutions can recreate financial transactions (as required in item 1); however, item 2 is somewhat mysterious. Does it mean that all server logs are to be kept for three years? If so, exactly which logs? The problem is that no one really knows. For anyone operating under this regulation, the interpretation of “audit trail to detect and respond to Cybersecurity Events” can mean different things to different organizations.
Just as we infosec folks have always stated that security is not a “one-size-fits-all” proposition, we now have to wonder: which size will satisfy the NYS DFS regulation? Without specific guidance on what the regulation considers an adequate detection and responding mechanism, all financial institutions must put in place systems that they believe are adequate. Few things define the fallacy of “begging the question” better than this.
As an admittedly failed law student, I recall the examples in legal process class whereby a student is asked to write a law and then is shown all the points where the law is either unjust or blatantly lacking simply by the words that are used. Writing a regulation is not an easy task. I would only hope that the regulators exercise broad discretion when evaluating the myriad protections they will see when evaluating this aspect of the regulation.
The final milestone in the regulation due on September 1, 2019 is to ensure that all third-party service providers adhere to the cybersecurity requirements of the host organization. While this task is not technical in nature, it will also prove to be monumental. Now is the best time to begin taking inventory of all the third party service providers who have access to personally identifiable information in your organization.
As I have mentioned in a previous post, this regulation is sure to be copied by other States, so even if your business does not have any dealings in New York, this style of regulation is sure to come to your State soon. Now would be a good time to examine this regulation in advance of it heading your way so you are not caught off guard.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.