If you work in the financial services industry, either at a banking organization, a mortgage servicer, or insurance firm, and you do business in New York, you're no doubt familiar with the rigors of the New York Department of Financial Services' Cybersecurity Regulation, or 23 NYCRR 500.
Released in 2017 and enacted in 2018, DFS-regulated entities, organizations considered Covered Entities under NYDFS, need to take steps to develop and implement an effective cybersecurity program in order to comply with the regulation. For many companies that means having the ability to identify and classify critical assets, assess cybersecurity threats, align threats to assets, map threats to controls and evaluate the effectiveness of those controls.
While the first iteration of the NYDFS' Cybersecurity Regulation required organizations to develop a cybersecurity policy that includes regular risk assessments, the concept looks like it will become more of an sticking point in 2023.
Later this year the NYDFS is expected to publish a new version of its Cybersecurity Regulation and in it, update how it defines the term "risk assessment.” As part of the change, which was proposed in amendment published by NYDFS on November 9, 2022, organizations will have to reevaluate their cybersecurity policies based on the revised definition.
What does the NYDFS Cybersecurity Regulation say about Risk Assessments?
Under the first version of the regulation, the NYDFS instructed covered entities to conduct risk assessments periodically in order to assess the confidentiality, security, integrity, and availability of its information systems and nonpublic information, including the adequacy of existing controls in the context of identified risks.
While helpful – conducting a risk assessment is one of the first tasks an organization should complete in order to begin their cybersecurity policy and program – the directive lacked a lot of context and direction. Other than ensuring data on systems was protected, it didn't specify what exactly an assessment needed to include.
What does the proposed amendment to the NYDFS Cybersecurity Regulation say about Risk Assessments?
While it's not official yet, last year's amendment to the regulation, slated for publication in 2023, redefines the term risk assessment. In many ways it appears as if it's going to be foundational to the retooled regulation going forward.
In the updated text, the NYDFS defines risk assessment as the process of identifying cybersecurity risks to:
- Organizational operations (mission, function, image, and reputation)
- Organizational assets
- Individuals
- Customers
- Consumers
- Other organizations and critical infrastructure resulting from the operation of an information system
The NYDFS is encouraging organizations to take into account the circumstances of the business, including its size, staffing, governance, businesses, services, products, operations, customers, counterparties, service providers, vendors, other relations and their locations, as well as the geographies and locations of its operations and business relations.
Organizations should also ensure that threat and vulnerability analyses and mitigations in place via security controls - either set or planned - are also considered when carrying out a risk assessment.
How Often Does a Covered Entity need a Risk Assessment?
Like most of the Cybersecurity Regulation's requirements - carrying out penetration tests, having their CISO report to the senior board, and test its incident response plans - organizations will have to update their risk assessment at least annually, or potentially more often than that if there's been a change to the business or technology.
Class A companies will need to use an external expert to conduct a risk assessment at least once every three years. NYDFS describes Class A companies as covered entities with at least $20,000,000 in gross annual revenue from the entity’s (and its affiliates) business operations in New York and, either (1) over 2,000 employees; or (2) over $1,000,000,000 in gross annual revenue, in each of the last two fiscal years from all its (and its affiliates) business operations regardless of location.
Class A companies - a new category for NYDFS - are under higher scrutiny from the department; they're also required to conduct an independent audit, implement an endpoint detection and response solution to monitor anomalous activity, along with privileged access control.
What else does a Risk Assessment inform?
In many ways, risk assessments should serve as a basis for how organizations looking to comply with the NYDFS Cybersecurity Regulation should build their cybersecurity program.
NYDFS stresses that cybersecurity programs should be based on the risk assessment that's been carried out. With an effective risk assessment, organizations should be better able to identify and assess internal and external cybersecurity threats to sensitive data, determine how to best detect events, respond to them, recover from them, and properly report them.
According to 23 NYCRR 500, risk assessments should also factor into:
- When and where an organization performs penetration testing
- What types of risks are covered by the company's cybersecurity awareness training.
- How organizations provision access via privileged accounts
- implement multi-factor authentication
- What policies put in place for third party service providers look like.
- Written policies and procedures for vulnerability management
- How often information systems are scanned for vulnerabilities
- What the written policy regarding encryption looks like (The latest amendment to 23 NYCRR 500 requires organizations have a written policy requiring a solution that meets industry standards to protect data)
What are the risks of failing to perform a Risk Assessment?
Like any law or regulation, failing to comply with NYDFS’ Cybersecurity Regulation could have costly repercussions for a company.
Since organizations' cybersecurity policies and risk assessments are tied to each other, if an organization suffers a breach, it could be traced back to having an incomplete risk assessment.
In the case of a recent Consent Order between the NYDFS and a popular U.S. vision benefits company, an email inbox was the source of a data breach. In the eyes of NYDFS, because the company failed to assess this component – the inbox lacked the appropriate access controls - its risk assessment was found to be not “adequate.” Without an “adequate” Risk Assessment on Part 500, no Risk Assessment under Part 500.9 existed, meaning in the eyes of NYDFS, the company had falsely certified compliance since 23 NYCRR 500 was put into place.
The company agreed to pay a $4.5 million penalty for its alleged violations of the regulation.
As nearly every data breach on some level stems from a control failure - something that likely wasn't identified in a risk assessment – organizations could be caught off guard by NYDFS’ recent enforcement efforts.
Companies will have to do their due diligence when it comes to reassessing their risk assessment policies this year, ensuring they perform robust, effective risk assessments that can be viewed as audit-ready in the event an issue arises. While the proposed changes to the Cybersecurity Regulation aren't official yet, having solutions in place to map the way your compliance program complies with 23 NYCRR 500 should be on organization's radar now, instead of later.
