The New York State Department of Financial Services recently released 23 NYCRR 500 dealing with Cybersecurity Requirements for Financial Services Companies. The regulation went into effect on March 1, 2017 and covers entities that are regulated by New York State’s Banking Law, Insurance Law and Financial Services Law.
The full text of the regulation can be found here.
The regulation places a number of requirements on covered entities including the following:
– Maintenance of a Cybersecurity Program
– Implementation and maintenance of a written Cybersecurity Policy
– Designation of a Chief Information Security Officer
– Penetration Testing and Vulnerability Assessments
– Risk Assessments
– Training and Monitoring
– Encryption of Nonpublic Information
– Responses to incidents such as data breaches
– Annual attestation regarding compliance with the regulation
Many of these requirements are likely part of existing cybersecurity programs at financial services companies. However, data governance programs can also support cybersecurity compliance:
1. Cybersecurity Policies need to be consistent with Data Governance Policies
Section 500.03 specifically requires that cybersecurity policies address ‘data governance and classification.’ For
example, cybersecurity policies relating to data ownership need to be consistent with any data governance roles
such as ‘data owner’ and ‘data custodian.’
2. Critical Data Elements need to consider Cybersecurity Requirements
Most financial services companies have spent enormous sums of money identifying Critical Data Elements (CDEs) such
as ‘Probability of Default’ for CCAR and DFAST. The CDE program also needs to consider cybersecurity requirements.
For example, Section 500.01(g)(1) includes a partial inventory of nonpublic information such as social security
number, drivers’ license number, account number, credit card number, debit card number, and biometric information.
3.The Metadata Hub needs to be synchronized with IT Asset Inventory and Access Control
Section 500.03 deals with cybersecurity policies for asset inventory. Section 500.07 deals with access privileges
to information systems. The data governance program needs to ensure that the metadata hub has an inventory of
applications that is consistent with the IT asset inventory tool (such as ServiceNow).
4. Improve the Quality of Information within IT Asset Inventory
Data Governance needs to work with IT to improve the quality of information within the IT Asset Inventory such as
ServiceNow. For example, the asset inventory needs to include the production, development, testing and disaster
recovery instances of an application especially if they contain sensitive information. In addition, the names of
application owners must be kept updated to support periodic review of access privileges as required by Section
5. Data Retention
Section 500.13 requires covered entities to have cybersecurity programs that include policies and procedures for
the secure disposal on a periodic basis of nonpublic information unless otherwise required by law or regulation. As
a result, cybersecurity programs need to be tightly aligned with information lifecycle management.