If you are a third-party provider of cyber services to a “covered entity” in New York State, the Department of Financial Services just made your life harder.
The New York cybersecurity legislation that went into effect on March 1, 2017 (23 NYCRR Part 500) imposes new cyber security requirements on financial institutions, insurance agencies, and other covered entities which pass down and through to you.
Highlights of the New York Cybersecurity Requirements
Here are a few highlights of the legislation that could have an impact on your policies, processes and cyber security practices:
- Each Covered Entity will do an assessment of you based on the services you provide and your access to information systems and/or nonpublic information belonging to them.
- Based on the assessment, each Covered Entity you work with will define the minimum cybersecurity practices required for you to implement and operate to do business with them.
- The regulation outlines specific sections of the regulation (e.g. encryption, multi-factor authentication) you must implement if you have access to any information deemed non-public, or access systems that store such information.
- There will likely be uncertainties and a lack of consistency in the way each Covered Entity deals with you as the regulation leaves the definition of acceptable minimum cybersecurity practices by third party providers up to each Covered Entity. However, since their evaluation of you will be reviewed and assessed by the DFS, we anticipate the requirements will vastly mirror what they are required to comply with as part of the regulation.
- It’s likely that if a Covered Entity you work with as cybersecurity policies and practices in place that address the following areas, so too will you:
(b) data governance and classification;
(c) asset inventory and device management;
(d) access controls and identity management;
(e) business continuity and disaster recovery planning and resources;
(f) systems operations and availability concerns;
(g) systems and network security;
(h) systems and network monitoring;
(i) systems and application development and quality assurance;
(j) physical security and environmental controls;
(k) customer data privacy;
(l) vendor and Third Party Service Provider management;
(m) risk assessment; and
(n) incident response.
- From time to time, each Covered Entity you do business with will need to conduct a due diligence assessment of your cybersecurity policies and practices to see if they are compliant with their policies and practices, and the new regulation. We believe that a standard SOC 1 or 2 report will lack the specific attributes required to provide adequate assurance that your cybersecurity program is sufficient.
- You will be required to implement Multi-Factor Authentication or Risk-Based Authentication to protect against unauthorized access to Nonpublic Information or Information Systems.
- With certain exceptions, you will be required to implement encryption to protect Nonpublic Information in transit and at rest, which could be cumbersome and expensive.
- You will be required to provide notice of any cybersecurity event directly impacting your Information Systems or your Nonpublic Information affecting Covered Entities you do business with. This requirement may seem straight forward, but there is uncertainty as to what constitutes a cybersecurity event that warrants notification, and how quickly notification must be provided.
- All contracts with you have with third party providers will need to include “representations and warranties addressing the Third Party Service Provider’s cybersecurity policies and procedures.”
Will Your Customers Require You to Do a Cybersecurity Audit?
The possibility exists that a Covered Entity you’re doing with will require you to conduct and report on a comprehensive audit. However, this may be VERY difficult and problematic for both you and the Covered Entities you do business with.
We believe, however, that the best option for compliance purposes (and our recommendation) is that that you have a specific examination performed by an independent CPA firm to attest to your cybersecurity practices in place.
In fact, the AICPA recently released a Cybersecurity Risk Management Reporting Framework and a System and Organization Controls (SOC) reporting option specifically designed to provide a robust, consistent mechanism for reporting on the cybersecurity programs of companies as a means of providing assurance to users of the company.
Where to start?
We suggest that the first step in the process of getting into compliance with the 2017 New York State Cybersecurity Regulations and the requirements of the Covered Entities you do business with be a comprehensive assessment of your current cybersecurity program and controls against these regulations and other leading frameworks to validate its design and operation.
The experts in Freed Maxick’ s Risk and Technology Advisory and Assurance Practice can help you to this end, as well as assisting in development and implementation of a remediation plan.
Our thorough assessment includes investigations of your policies, processes and practices governing your relationship with all relevant Covered Entities, as well as an assessment of their programs to provide assurances of you compliance with their requirements.
To schedule an initial consultation, click here or call Dave Hansen, Principal, at 585.360.1481. Or you can download our full New York Cybersecurity Regulation whitepaper here.