Addressing the 23 NYCRR 500 Cybersecurity Regulation

PLAYBOOK “ABSTRACT” | CYBERSECURITY

2

2 Impact Makers, Inc. | 1707 Summit Avenue, Suite 201, Richmond, Virginia 23230 | info@impactmakers.com | www.impactmakers.com

Contents 1. Background and Purpose ................................................................................................................................................ 3

1.1 Useful information ..................................................................................................................................................... 4

1.2 Timeline .................................................................................................................................................................... 5

1.3 Regulation sections .................................................................................................................................................. 5

1.4 Initial approach ......................................................................................................................................................... 5

1.5 Suggested Model (The NIST Cybersecurity Framework) ......................................................................................... 6

2. The First Six Months: 3/1/2017 through 9/1/2017 ........................................................................................................... 7

2.1 Cybersecurity Program – 500.02 – First Six Months ................................................................................................ 7

2.2 Cybersecurity Policy – 500.03 – First Six Months .................................................................................................... 8

2.3 CISO – 500.04 – First Six Months ............................................................................................................................ 8

2.4 Access Privileges – 500.07 – First Six Months ........................................................................................................ 9

2.5 Cybersecurity Personnel and Intelligence – 500.10 – First Six Months ................................................................... 9

2.6 Incident Response Plan – 500.16 – First Six Months ............................................................................................... 9

2.7 Notices to Superintendent – 500.17 – First Six Months ........................................................................................... 9

2.8 Notes and comments – First Six Months ................................................................................................................ 10

3. The Second Six Months – 9/1/17 – 3/1/18 ..................................................................................................................... 11

3.1 CISO – 500.04 – Second Six Months (conclusion of this section) ........................................................................ 11

3.2 Penetration Testing and Vulnerability Assessments – 500.05 – Second Six Months ............................................ 11

3.3 Risk Assessment – 500.09 – Second Six Months .................................................................................................. 12

3.4 Multi Factor Authentication – 500.12 – Second Six Months ................................................................................... 12

3.5 Training and Monitoring – 500.14 – Second Six Months ........................................................................................ 12

3.6 Notes and comments – Second Six Months........................................................................................................... 12

4. The Third Six Months – 3/1/18 – 9/1/18 ......................................................................................................................... 13

4.1 Audit Trail- 500.06 – Third Six Months ................................................................................................................... 13

4.2 Application Security – 500.08 – Third Six Months .................................................................................................. 13

4.3 Limits on Data Retention – 500.13 – Third Six Months .......................................................................................... 13

4.4 Training and Monitoring – 500.14 – Third Six Months ............................................................................................ 13

4.5 Encryption of Nonpublic Information – 500.15 – Third Six Months ........................................................................ 14

4.6 Notes and comments – Third Six Months ............................................................................................................... 14

5. The Fourth Six Months – 9/1/18 – 3/1/19 ...................................................................................................................... 15

5.1 Third Party Service Provider Policy – 500.11 – Fourth Six Months........................................................................ 15

5.2 Notes and comments – Fourth Six Months ............................................................................................................ 15

6. Appendices .................................................................................................................................................................... 16

6.1 Definitions ............................................................................................................................................................... 16

6.2 Frequently Asked Questions .................................................................................................................................. 19

Working with Impact Makers ................................................................................................................................................. 23

3

3 Impact Makers, Inc. | 1707 Summit Avenue, Suite 201, Richmond, Virginia 23230 | info@impactmakers.com | www.impactmakers.com

1. Background and Purpose Who is this for? This playbook is for any financial services companies that do business in the State of New York, including those that are based in New York, as well as those that reside outside. Anyone who does not fit that description need not heed this particular playbook’s sprint plan or adhere to the 23 NYCRR 500 regulation, but we believe the approach and methodologies outlined are still of use for compliance against other states’ regulation requirements and for sustaining any mature cybersecurity culture.

How does this help? This cybersecurity regulation is not for the faint of heart. Impact Makers’ cybersecurity experts (Governance, Risk, and Compliance team) has collaborated to break down the morass of legalese into actionable sprints that ensure compliance as well as lay the foundation for a mature cybersecurity culture. This playbook also includes a compilation of useful logistical info so that readers will not have to expend redundant capacity in meeting the regulation standards, and can focus their time and energy on their cybersecurity needs.

What is the regulation? The New York Cybersecurity Rule (23 NYCRR 500) (also known as the “Cybersecurity Requirements for Financial Services Companies”) was introduced by the New York State Department of Financial Services (NYDFS) in 2016, passed in the first quarter of 2017, and took effect March 1, 2017. Covered Entities must file their first annual certifications with the NYDFS no later than February 15, 2018.

This regulation will be enforced by the NYDFS and affects all covered entities including Financial Services, and Health, Life and Property Insurers. The Regulation is designed to comply with State and Federal standards and its purpose is to promote the protection of customer information as well as the information technology systems of regulated entities.

Highlights of the regulation include:

• The Regulation requires each company to assess its specific risk profile and design a program that addresses its risks in a robust fashion.

• Senior management must take this issue seriously and be responsible for the organization’s cybersecurity program and file an annual certification confirming compliance with these regulations.

• NYDFS defines a Covered Entity as “any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.”

The purpose of this Playbook is to provide a basis and guidance for compliance with the NYCRR 500 Cybersecurity regulation for covered entities who are regulated by the NYDFS. The full text of the Regulation can be found at the following internet address on the NYDFS site: http://www.dfs.ny.gov/legal/regulations/adoptions/dfsrf500txt.pdf.

Many organizations will find they have a substantial part of the regulatory requirements already in place and merely need to take inventory and report their compliance to the NYDFS. This playbook will help covered entities review and ensure their cybersecurity program is current, conforms to the regulation, and satisfies the regulation as required. The approach for the cybersecurity framework proposed in this playbook is based on the NIST cybersecurity framework (version 1.0) as we believe it is likely that this framework will eventually be the basis for many of the federally mandated cybersecurity regulations and compliance programs. Early adoption of this framework will help participating companies to adapt to future mandates and requirements whether they be federal or state imposed. Additionally, the NIST cybersecurity framework approach is suggested because it is an effective and measurable way to manage cybersecurity risk across the organization. The framework will be defined in more detail in section 1.4 below.

4

4 Impact Makers, Inc. | 1707 Summit Avenue, Suite 201, Richmond, Virginia 23230 | info@impactmakers.com | www.impactmakers.com

1.1 Useful information

New York State Department of Financial Services: http://www.dfs.ny.gov/ 23 NYCRR 500: http://www.dfs.ny.gov/legal/regulations/adoptions/dfsrf500txt.pdf

New York City - Main Office New York State Department of Financial Services One State Street New York, NY 10004-1511 Albany New York State Department of Financial Services One Commerce Plaza Albany, NY 12257 Buffalo New York State Department of Financial Services Walter Mahoney Office Bldg 65 Court Street, Room 7 Buffalo, NY 14202 Garden City 1399 Franklin Avenue, Suite 203 Garden City, NY 11530 Oneonta New York State Department of Financial Services 28 Hill Street, Room 210 Oneonta, NY 13820 Syracuse New York State Department of Financial Services 333 East Washington Street Syracuse, NY 13202

5

5 Impact Makers, Inc. | 1707 Summit Avenue, Suite 201, Richmond, Virginia 23230 | info@impactmakers.com | www.impactmakers.com

1.2 Regulation Timeline

The regulation is designed to be implemented over a period of two years (24 months) at six-month increments. DFS’ timeline is as follows:

1.3 Regulation sections

The regulation is comprised of 23 sections as illustrated above and a Regulations Data Set spreadsheet is included for your reference.

23 NYCRR 500

Regulation

1.4 Recommended Initial approach

It is recommended that the program to become compliant with 23 NYCRR 500 is driven jointly by Compliance, Risk, and Information Technology and led by the Chief Information Security Officer (CISO). The satisfaction of the regulation can be treated as a separate program with a program governance structure. An Agile approach is recommended with three sixty-day iteration sprints within each of the four major six-month program cycles. Cybersecurity programs should be designed not to replace but to complement an organization’s risk management program. A high-level approach to the implementation of an effective cybersecurity program which will help to satisfy 23 NYCRR 500 (the Regulation) could involve the following:

• Describe the current cybersecurity posture;

• Describe the target state for cybersecurity;

• Identify and prioritize opportunities based on the timeline imposed by the regulation for improvement within the context of a continuous and repeatable process;

• Regularly assess progress toward the target state;

• Communicate among internal and external stakeholders about cybersecurity risk;

• Measure success and continuously improve.

6

6 Impact Makers, Inc. | 1707 Summit Avenue, Suite 201, Richmond, Virginia 23230 | info@impactmakers.com | www.impactmakers.com

1.5 Suggested model (The NIST Cybersecurity Framework)

It is recommended that the NIST Cybersecurity Framework (CSF) be used as a guideline to establish and manage an organization’s cybersecurity environment. Why NIST? While there are several information security frameworks that are available, the NIST Cybersecurity Framework was built using the input from government, the commercial sector, and academia. The NIST CSF maps to the most widely used security controls frameworks including NIST 800-53, ISO/IEC 27002, and the CIS Critical Security Controls (aka “SANS Top 20”). The NIST Cybersecurity Framework is provided at no-cost to organizations and it is estimated that a majority of security-conscious companies have either adopted or plan to adopt the CSF in the near future. We believe that in the absence of other regulatory guidance, the NIST CSF will become the de facto standard for what constitutes “good security.” While we propose the NIST CSF as a model, companies should use whichever framework effectively suits their particular needs or is already in place.

The NIST CSF can complement an organization’s existing risk management process and cybersecurity program. The CSF should be leveraged to identify opportunities to strengthen and communicate management of cybersecurity risk while, at the same time, maintaining alignment with industry standards and practices. The CSF can be used as a reference to establish a cybersecurity program where one is missing or to enhance an existing program. The following three bullets provide an overview of the CSF and can be found in the NIST document at: https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-framework-021214.pdf

• The Framework Core is a set of cybersecurity activities, desired outcomes, and applicable references that are common across critical infrastructure sectors. The Core presents industry standards, guidelines, and practices in a manner that allows for communication of cybersecurity activities and outcomes across the organization from the executive level to the implementation/operations level.

• Framework Implementation Tiers (“Tiers”) provide context on how an organization views cybersecurity risk and the processes in place to manage that risk. Tiers describe the degree to which an organization’s cybersecurity risk management practices exhibit the characteristics defined in the framework (e.g., risk and threat aware, repeatable, and adaptive).

• A Framework Profile (“Profile”) represents the outcomes based on business needs that an organization has selected from the Framework Categories and Subcategories. The Profile can be characterized as the alignment of standards, guidelines, and practices to the Framework Core in a particular implementation scenario.

7

7 Impact Makers, Inc. | 1707 Summit Avenue, Suite 201, Richmond, Virginia 23230 | info@impactmakers.com | www.impactmakers.com

Introduction to Roadmap The following sections are a suggested roadmap that includes four 6-month phases. Impact Makers recommends three sprints in each six-month phase, beginning with a security program assessment resulting in validation of controls and a corrective action plan prioritized based on NYCRR 500 and security best-practices.

2. The First Six Months: 3/1/2017 through 9/1/2017 The first six months (March 1, 2017 – September 1, 2017) address parts of the following requirements sections. Note that not all the sections are required for the first six months as some parts come later (i.e., section 500.04 b.1 CISO is due after 12 months). Refer to the spreadsheet provided for a full understanding of each section.

• 500.02 – Cybersecurity Program – Develop, improve, maintain and govern

• 500.03 – Cybersecurity Policy – Define, agree, approve and submit

• 500.04 – CISO – establish primary accountability for the cybersecurity program

• 500.07 – Access Privileges – Fine-tune by whom data is accessed/managed

• 500.10 – Cybersecurity Personnel and Intelligence – Ensure qualified cybersecurity personnel are trained and

manging risks

• 500.16 – Incident Response Plan – Establish an incident response plan

• 500.17 – Notices to the Superintendent – Provide annual reports and timely notification of security incidents

2.1 Cybersecurity Program – 500.02 – First Six Months

• Each Covered Entity shall maintain a cybersecurity program designed to protect the confidentiality, integrity and

availability of the Covered Entity’s Information Systems.

• The cybersecurity program shall be based on the Covered Entity’s Risk Assessment and designed to perform the

following core cybersecurity functions:

o Identify and assess internal and external cybersecurity risks that may threaten the security or integrity of

Non-Public Information (NPI) stored on the Covered Entity’s Information Systems;

o Use defensive infrastructure and the implementation of policies and procedures to protect the Covered

Entity’s Information Systems, and the NPI stored on those Information Systems, from unauthorized

access, use or other malicious acts;

o Detect Cybersecurity Events;

o Respond to identified or detected Cybersecurity Events to mitigate any negative effects;

o Recover from Cybersecurity Events and restore normal operations and services; and

o Fulfil applicable regulatory reporting obligations.

8

8 Impact Makers, Inc. | 1707 Summit Avenue, Suite 201, Richmond, Virginia 23230 | info@impactmakers.com | www.impactmakers.com

• A Covered Entity may meet the requirements of this Part by adopting a cybersecurity program maintained by an

Affiliate, provided that the Affiliate’s cybersecurity program covers the Covered Entity’s Information Systems and

NPI and meets the requirements of this Part.

• All documentation and information relevant to the Covered Entity’s cybersecurity program shall be made available

to the superintendent upon request.

2.2 Cybersecurity Policy – 500.03 – First Six Months

• Each Covered Entity shall implement and maintain a written policy or policies, approved by a Senior Officer or the Covered Entity’s board of directors (or an appropriate committee thereof) or equivalent governing body, setting forth the Covered Entity’s policies and procedures for the protection of its Information Systems and NPI stored on those Information Systems. The cybersecurity policy shall be based on the Covered Entity’s Risk Assessment and address the following areas to the extent applicable to the Covered Entity’s operations:

1) information security;

2) data governance and classification;

3) asset inventory and device management;

4) access controls and identity management;

5) business continuity and disaster recovery planning and resources;

6) systems operations and availability concerns;

7) systems and network security;

8) systems and network monitoring;

9) systems and application development and quality assurance;

10) physical security and environmental controls;

11) customer data privacy;

12) vendor and Third-Party Service Provider management;

13) risk assessment; and

14) incident response.

2.3 CISO – 500.04 – First Six Months

• Chief Information Security Officer. Each Covered Entity shall designate a qualified individual responsible for overseeing and implementing the Covered Entity’s cybersecurity program and enforcing its cybersecurity policy (for purposes of this Part, “Chief Information Security Officer” or “CISO”). The CISO may be employed by the Covered Entity, one of its Affiliates or a Third-Party Service Provider. To the extent this requirement is met using a Third-Party Service Provider or an Affiliate, the Covered Entity shall:

o Retain responsibility for compliance with this Part;

o Designate a senior member of the Covered Entity’s personnel responsible for direction and oversight

of the Third-Party Service Provider; and

o Require the Third-Party Service Provider to maintain a cybersecurity program that protects the

Covered Entity in accordance with the requirements of this Part.

9

9 Impact Makers, Inc. | 1707 Summit Avenue, Suite 201, Richmond, Virginia 23230 | info@impactmakers.com | www.impactmakers.com

2.4 Access Privileges – 500.07 – First Six Months

• As part of its cybersecurity program, based on the Covered Entity’s Risk Assessment, Each Covered Entity shall limit user access privileges to Information Systems that provide access to NPI and shall periodically review such access privileges.

2.5 Cybersecurity Personnel and Intelligence – 500.10 – First Six Months

• Cybersecurity Personnel and Intelligence. In addition to the requirements set forth in 500.04(an), each Covered Entity shall:

o Utilize qualified cybersecurity personnel of the Covered Entity, an Affiliate or a Third Party Service Provider sufficient to manage the Covered Entity’s cybersecurity risks and to perform or oversee the performance of the core cybersecurity functions specified in section 500.02(b)(1)-(6) of this Part;

o Provide cybersecurity personnel with cybersecurity updates and training sufficient to address relevant cybersecurity risks; and

o Verify that key cybersecurity personnel take steps to maintain current knowledge of changing cybersecurity threats and countermeasures.

• A Covered Entity may choose to utilize an Affiliate or qualified Third-Party Service Provider to assist in complying

with the requirements set forth in this Part, subject to the requirements set forth in section 500.11 of this Part.

2.6 Incident Response Plan – 500.16 – First Six Months

• As part of its cybersecurity program, each Covered Entity shall establish a written incident response plan designed to promptly respond to, and recover from, any Cybersecurity Event materially affecting the confidentiality, integrity or availability of the Covered Entity’s Information Systems or the continuing functionality of any aspect of the Covered Entity’s business or operations.

• Such incident response plan shall address the following areas:

1) the internal processes for responding to a Cybersecurity Event;

2) the goals of the incident response plan;

3) the definition of clear roles, responsibilities and levels of decision-making authority;

4) external and internal communications and information sharing;

5) identification of requirements for the remediation of any identified weaknesses in Information Systems

and associated controls;

6) documentation and reporting regarding Cybersecurity Events and related incident response activities; and

7) the evaluation and revision as necessary of the incident response plan following a Cybersecurity Event.

2.7 Notices to Superintendent – 500.17 – First Six Months

10

10 Impact Makers, Inc. | 1707 Summit Avenue, Suite 201, Richmond, Virginia 23230 | info@impactmakers.com | www.impactmakers.com

• Notice of Cybersecurity Event. Each Covered Entity shall notify the superintendent as promptly as possible but in no event later than 72 hours from a determination that a Cybersecurity Event as follows has occurred:

o Cybersecurity Events of which notice is required to be provided to any government body, self- regulatory

agency or any other supervisory body; and

o Cybersecurity Events that have a reasonable likelihood of materially harming any material part of the

normal operation(s) of the Covered Entity.

• Annually each Covered Entity shall submit to the superintendent a written statement by February 15, in such form set forth as Appendix A of the 23 NYCRR 500 document included as a supplemental document, certifying that the Covered Entity is in compliance with the requirements set forth in this Part. Each Covered Entity shall maintain for examination by the Department all records, schedules and data supporting this certificate for a period of five years. To the extent a Covered Entity has identified areas, systems or processes that require material improvement, updating or redesign, the Covered Entity shall document the identification and the remedial efforts planned and underway to address such areas, systems or processes. Such documentation must be available for inspection by the superintendent.

2.8 Notes and comments – First Six Months

In the next two sprints, the Covered Entity can begin remediating risks specific to its corrective action plan, such as policies and procedures development, roles and responsibilities definition and training, and incident response program development.

11

11 Impact Makers, Inc. | 1707 Summit Avenue, Suite 201, Richmond, Virginia 23230 | info@impactmakers.com | www.impactmakers.com

3. The Second Six Months – 9/1/17 – 3/1/18 The second six months (September 1, 2017 – March 1, 2018) address parts of the following requirements sections. Note that sections started during the first six months are concluded during this phase.

• 500.04 – CISO – Establish primary accountability for the cybersecurity program

• 500.05 – Penetration Testing – Test current Cybersecurity vulnerabilities

• 500.09 – Risk Assessment – Understand and inventory of Cybersecurity risks

• 500.12 – Multi-Factor Authentication – Ensure this level of authentication

• 500.14 – Training and monitoring – Provide regular updated awareness for all personnel

3.1 CISO – 500.04 – Second Six Months (conclusion of this section)

• Report. The CISO of each Covered Entity shall report in writing at least annually to the Covered Entity’s board of directors or equivalent governing body. If no such board of directors or equivalent governing body exists, such report shall be presented to a Senior Officer of the Covered Entity responsible for the Covered Entity’s cybersecurity program. The CISO shall report on the Covered Entity’s cybersecurity program and material cybersecurity risks. The CISO shall consider to the extent applicable:

o The confidentiality of Non-public Information and the integrity and security of the Covered Entity’s

Information Systems;

o The Covered Entity’s cybersecurity policies and procedures;

o Material cyber risks to the Covered Entity;

o Overall effectiveness of the Covered Entity’s cybersecurity program; and

o Material Cybersecurity Events involving the Covered Entity during the time period addressed by the

report.

3.2 Penetration Testing and Vulnerability Assessments – 500.05 – Second Six Months

• The cybersecurity program for each Covered Entity shall include monitoring and testing, developed in accordance with the Covered Entity’s Risk Assessment, designed to assess the effectiveness of the Covered Entity’s cybersecurity program. The monitoring and testing shall include continuous monitoring or periodic penetration testing and vulnerability assessments, and shall be done periodically. Absent effective continuous monitoring, or other systems to detect, on an ongoing basis, changes in Information Systems that may create or indicate vulnerabilities, Covered Entities shall conduct:

o Annual penetration testing of the Covered Entity’s Information Systems determined each given year

based on relevant identified risks in accordance with the Risk Assessment; and

o Bi-annual vulnerability assessments, including any systematic scans or reviews of Information Systems

reasonably designed to identify publicly known cybersecurity vulnerabilities in the Covered Entity’s

Information Systems based on the Risk Assessment.

12

12 Impact Makers, Inc. | 1707 Summit Avenue, Suite 201, Richmond, Virginia 23230 | info@impactmakers.com | www.impactmakers.com

3.3 Risk Assessment – 500.09 – Second Six Months

• Each Covered Entity shall conduct a periodic Risk Assessment of the Covered Entity’s Information Systems sufficient to inform the design of the cybersecurity program as required by this Part. Such Risk Assessment shall be updated as reasonably necessary to address changes to the Covered Entity’s Information Systems, NPI or business operations. The Covered Entity’s Risk Assessment shall allow for revision of controls to respond to technological developments and evolving threats and shall consider the particular risks of the Covered Entity’s business operations related to cybersecurity, NPI collected or stored, Information Systems utilized and the availability and effectiveness of controls to protect NPI and Information Systems.

• The Risk Assessment shall be carried out in accordance with written policies and procedures and shall be documented. Such policies and procedures shall include:

o Criteria for the evaluation and categorization of identified cybersecurity risks or threats facing the Covered

Entity;

o Criteria for the assessment of the confidentiality, integrity, security and availability of the Covered Entity’s

Information Systems and NPI, including the adequacy of existing controls in the context of identified risks;

and

o Requirements describing how identified risks will be mitigated or accepted based on the Risk Assessment

and how the cybersecurity program will address the risks.

3.4 Multi Factor Authentication – 500.12 – Second Six Months

• Multi-Factor Authentication. Based on its Risk Assessment, each Covered Entity shall use effective controls, which may include Multi-Factor Authentication or Risk-Based Authentication, to protect against unauthorized access to NPI or Information Systems.

• Multi-Factor Authentication shall be utilized for any individual accessing the Covered Entity’s internal networks from an external network, unless the Covered Entity’s CISO has approved in writing the use of reasonably equivalent or more secure access controls.

3.5 Training and Monitoring – 500.14 – Second Six Months

• Provide for regular cybersecurity awareness training for all personnel that is updated to reflect risks identified by the Covered Entity in its Risk Assessment.

3.6 Notes and comments – Second Six Months

In this phase, Impact Makers recommends conducting system risk assessments, establishing an ongoing program of vulnerability assessments and penetration testing, as well as designing a sustainable security awareness training program. Work to remediate risk according to the corrective action plan will continue based on NYCRR 500 requirements, industry standards, and the risk posture of the organization.

13

13 Impact Makers, Inc. | 1707 Summit Avenue, Suite 201, Richmond, Virginia 23230 | info@impactmakers.com | www.impactmakers.com

4. The Third Six Months – 3/1/18 – 9/1/18 The third six months (March 1, 2018 – September 1, 2018) address parts of the following requirements sections.

• 500.06 – Audit Trail – Ensure capabilities exist to detect and respond to events as well as reconstruct financial

transactions

• 500.08 – Application Security – Develop procedures to evaluate, test, and assess applications

• 500.13 – Limits on Data Retention – Establish policies relevant to type of data

• 500.14 – Training and monitoring – Provide regular updated awareness for all personnel

• 500.15 – Encryption of Non-public information- Security of Non-public information transmitted

4.1 Audit Trail- 500.06 – Third Six Months

• Each Covered Entity shall securely maintain systems that, to the extent applicable and based on its Risk Assessment:

o Are designed to reconstruct material financial transactions sufficient to support normal operations and obligations of the Covered Entity; and

o Include audit trails designed to detect and respond to Cybersecurity Events that have a reasonable likelihood of materially harming any material part of the normal operations of the Covered Entity.

• Each Covered Entity shall maintain records required by this section for not fewer than five years.

4.2 Application Security – 500.08 – Third Six Months

• Each Covered Entity’s cybersecurity program shall include written procedures, guidelines and standards designed to ensure the use of secure development practices for in-house developed applications utilized by the Covered Entity, and procedures for evaluating, assessing or testing the security of externally developed applications utilized by the Covered Entity within the context of the Covered Entity’s technology environment.

• All such procedures, guidelines and standards shall be periodically reviewed, assessed and updated as necessary by the CISO (or a qualified designee) of the Covered Entity.

4.3 Limits on Data Retention – 500.13 – Third Six Months

• As part of its cybersecurity program, each Covered Entity shall include policies and procedures for the secure disposal on a periodic basis of any NPI identified in 500.01(g)(2)-(3) that is no longer necessary for business operations or for other legitimate business purposes of the Covered Entity, except where such information is otherwise required to be retained by law or regulation, or where targeted disposal is not reasonably feasible due to the manner in which the information is maintained.

4.4 Training and Monitoring – 500.14 – Third Six Months

14

14 Impact Makers, Inc. | 1707 Summit Avenue, Suite 201, Richmond, Virginia 23230 | info@impactmakers.com | www.impactmakers.com

• Implement risk-based policies, procedures and controls designed to monitor the activity of Authorized Users and detect unauthorized access or use of, or tampering with, Nonpublic Information by such Authorized Users

4.5 Encryption of Nonpublic Information – 500.15 – Third Six Months

• As part of its cybersecurity program, based on its Risk Assessment, each Covered Entity shall implement controls, including encryption, to protect NPI held or transmitted by the Covered Entity both in transit over external networks and at rest.

o To the extent a Covered Entity determines that encryption of NPI in transit over external networks is

infeasible, the Covered Entity may instead secure such NPI using effective alternative compensating

controls reviewed and approved by the Covered Entity’s CISO.

o To the extent a Covered Entity determines that encryption of NPI at rest is infeasible, the Covered Entity

may instead secure such NPI using effective alternative compensating controls reviewed and approved

by the Covered Entity’s CISO.

o To the extent that a Covered Entity is utilizing compensating controls under the first bullet above, the

feasibility of encryption and effectiveness of the compensating controls shall be reviewed by the CISO at

least annually.

4.6 Notes and comments – Third Six Months

In this phase, Impact Makers recommends implementing additional technical controls to remediate risk as well as documenting procedures, guidelines and standards for software development lifecycle as applicable. Work to remediate risk according to the corrective action plan will continue based on NYCRR 500 requirements, industry standards, and the risk posture of the organization.

15

15 Impact Makers, Inc. | 1707 Summit Avenue, Suite 201, Richmond, Virginia 23230 | info@impactmakers.com | www.impactmakers.com

5.2

5. The Fourth Six Months – 9/1/18 – 3/1/19 The final six month period focuses on third party service provider policies, which is section 500.11. If the previous sections have been completed as planned, the Cybersecurity program in place should have moved into operational mode with regularly scheduled reviews. Adapting the program to third parties and having them conform, as appropriate, should be clear and evident at this phase. This last time block is dedicated to smooth transition through third party service providers.

5.1 Third Party Service Provider Policy – 500.11 – Fourth Six Months

• Third Party Service Provider Policy. Each Covered Entity shall implement written policies and procedures designed to ensure the security of Information Systems and Nonpublic Information that are accessible to, or held by, Third Party Service Providers. Such policies and procedures shall be based on the Risk Assessment of the Covered Entity and shall address to the extent applicable:

o The identification and risk assessment of Third Party Service Providers;

o Minimum cybersecurity practices required to be met by such Third Party Service Providers in order for

them to do business with the Covered Entity;

o Due diligence processes used to evaluate the adequacy of cybersecurity practices of such Third Party

Service Providers; and

o Periodic assessment of such Third Party Service Providers based on the risk they present and the

continued adequacy of their cybersecurity practices.

• Such policies and procedures shall include relevant guidelines for due diligence and/or contractual protections

relating to Third Party Service Providers including to the extent applicable guidelines addressing:

o The Third Party Service Provider’s policies and procedures for access controls including its use of Multi-

Factor Authentication as defined by section 500.12 to limit access to sensitive systems and NPI;

o The Third Party Service Provider’s policies and procedures for use of encryption as defined by section

500.15 to protect NPI in transit and at rest;

o Notice to be provided to the Covered Entity in the event of a Cybersecurity Event directly impacting the

Covered Entity’s Information Systems or NPI being held by the Third Party Service Provider; and

o Representations and warranties addressing the Third Party Service Provider’s cybersecurity policies and

procedures that relate to the security of the Covered Entity’s Information Systems or NPI.

• Limited Exception. An agent, employee, representative or designee of a Covered Entity who is itself a Covered

Entity need not develop its own Third Party Information Security Policy pursuant to this section if the agent, employee, representative or designee follows the policy of the Covered Entity that is required to comply with this Part.

5.2 Notes and comments – Fourth Six Months

In this phase, Impact Makers recommends developing and implementing a robust third-party risk management program. Work to remediate risk according to the corrective action plan will continue based on NYCRR 500 requirements, industry standards, and the risk posture of the organization.

16

16 Impact Makers, Inc. | 1707 Summit Avenue, Suite 201, Richmond, Virginia 23230 | info@impactmakers.com | www.impactmakers.com

6. Appendices

6.1 Definitions

Affiliate: Any Person that controls, is controlled by or is under common control with another Person. For purposes of this subsection, control means the possession, direct or indirect, of the power to direct or cause the direction of the management and policies of a Person, whether through the ownership of stock of such Person or otherwise. Authorized User: Authorized User means any employee, contractor, agent or other Person that participates in the business operations of a Covered Entity and is authorized to access and use any Information Systems and data of the Covered Entity. Covered Entity: Any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law. Covered entities in this context are regulated by the New York State Department of Financial Services. Cybersecurity Event: Any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an Information System or information stored on such Information System. Information System: A discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of electronic information, as well as any specialized system such as industrial/process controls systems, telephone switching and private branch exchange systems, and environmental control systems. Multi-factor Authentication (MFA):

MFA is a method of computer access control in which a user is granted access only after successfully presenting

several separate pieces of evidence to an authentication mechanism – typically at least two of the following

categories: knowledge (something they know such as a password), possession (something they have such as a token or mobile phone), and inherence (something they are such as biometric characteristics). Nonpublic Information: All electronic information that is not Publicly Available Information and is:

Business related information of a Covered Entity the tampering with which, or unauthorized disclosure, access or use of which, would cause a material adverse impact to the business, operations or security of the Covered Entity. Any information concerning an individual which because of name, number, personal mark, or other identifier can be used to identify such individual, in combination with any one or more of the following data elements: (i) social security number, (ii) drivers’ license number or non-driver identification card number, (iii) account number, credit or debit card number, (iv) any security code, access code or password that would permit access to an individual’s financial account; or (v) biometric records. Any information or data, except age or gender, in any form or medium created by or derived from a health care provider or an individual and that relates to (i) the past, present or future physical, mental or behavioral health or condition of any individual or a member of the individual's family, (ii) the provision of health care to any individual, or (iii) payment for the provision of health care to any individual.

Additional definition:

17

17 Impact Makers, Inc. | 1707 Summit Avenue, Suite 201, Richmond, Virginia 23230 | info@impactmakers.com | www.impactmakers.com

Nonpublic Information (New York Law Journal Vol. 257-N0.15 1/24/2016): The Initial Regulations required “Covered Entities” to protect all “Non-public Information.” The Initial Regulations did not limit “Non-public Information” to personal information about individuals as with other state and federal regulations. Instead, the Initial Regulations defined “non-public information” to include (1) any business-related information that, if tampered with or disclosed, would “cause a material adverse impact to the business, operations or security”; (2) any information an individual provided when obtaining a financial product or service; (3) health-related data; and (4) information typically defined as “personal information” such as an individual’s name plus his or her Social Security number. Now, however, the definition of “Non-public Information” is more practical. The term is still defined more broadly than in other regulations because it still includes business-related (and not just personal) information. However, DFS has deleted the requirement that “any information” received from an individual in connection with providing a financial product or service be protected. From a compliance perspective, this narrower definition of “Non-public Information” will enable “Covered Entities” to more easily identify the data they have that needs to be protected. In addition, because the definition of “Non-public Information” flows through to the updated Regulation’s data breach notification requirements, “Covered Entities” will face a smaller pool of data incidents that will potentially need to be reported to DFS.

Person: Any individual or any non-governmental entity, including but not limited to any non- governmental partnership, corporation, branch, agency or association. Penetration Testing: A test methodology in which assessors attempt to circumvent or defeat the security features of an Information System by attempting unauthorized penetration of databases or controls from outside or inside the Covered Entity’s Information Systems.

Additional Definition:

Penetration testing is the practice of testing a computer system, network or Web application to find vulnerabilities that an attacker could exploit. A penetration test, colloquially known as a pen test, is an authorized simulated attack on a computer system that looks for security weaknesses, potentially gaining access to the system's features and data. The process typically identifies the target systems and a particular goal—then reviews available information and

undertakes various means to attain the goal. A penetration test target may be a white box (which provides

background and system information) or black box (which provides only basic or no information except the

company name). A penetration test can help determine whether a system is vulnerable to attack, if the defenses were sufficient, and which defenses (if any) the test defeated.

Publicly Available Information: Any information that a Covered Entity has a reasonable basis to believe is lawfully made available to the general public from federal, state or local government records; widely distributed media; or disclosures to the general public that are required to be made by federal, state or local law.

o For the purposes of this subsection, a Covered Entity has a reasonable basis to believe that information is lawfully made available to the general public if the Covered Entity has taken steps to determine: (i) That the information is of the type that is available to the general public; and (ii) Whether an individual can direct that the information not be made available to the general public and, if so, that such individual has not done so.

18

18 Impact Makers, Inc. | 1707 Summit Avenue, Suite 201, Richmond, Virginia 23230 | info@impactmakers.com | www.impactmakers.com

Risk Assessment: The risk assessment that each Covered Entity is required to conduct under section 5 00.09 of the regulation.

Additional Definition:

Information security risk assessment is an on-going process of discovering, correcting and preventing security problems. The risk assessment is an integral part of a risk management process designed to provide appropriate levels of security for information systems.

Risk-Based Authentication: Any risk-based system of authentication that detects anomalies or changes in the normal use patterns of a Person and requires additional verification of the Person’s identity when such deviations or changes are detected, such as through the use of challenge questions. Senior Officer(s): The senior individual or individuals (acting collectively or as a committee) responsible for the management, operations, security, information systems, compliance and/or risk of a Covered Entity, including a branch or agency of a foreign banking organization subject to this Part. These include, CISO, CEO, CIO,CTO, CFO. Third-Party Service Provider(s): A Person that (i) is not an Affiliate of the Covered Entity, (ii) provides services to the Covered Entity, and (iii) maintains, processes or otherwise is permitted access to Nonpublic Information through its provision of services to the Covered Entity.

19

19 Impact Makers, Inc. | 1707 Summit Avenue, Suite 201, Richmond, Virginia 23230 | info@impactmakers.com | www.impactmakers.com

6.2 Frequently Asked Questions

1. Are Healthcare Insurance Companies included under 23 NYCRR 500?

Yes. The NYSDFS has confirmed to the author by phone and email that Healthcare Insurance companies are not exempt unless they qualify under the exemption conditions of the regulation.

2. Are some financial organizations exempt from all provisions of 23 NYCRR 500?

Yes. There are exemptions from some sections of the Regulation for organizations that have fewer than 10 employees, less than $5MM in gross annual revenue in each of the prior 3 years, or have less than $10MM in year-end total assets. Consult the full-text regulation, section 500.19.

The following questions are from the NYCDFS site with the corresponding answers:

1. Under 23 NYCRR 500.17(a), is a Covered Entity required to give notice to the Department when a Cybersecurity Event involves harm to consumers?

Yes. 23 NYCRR 500.17(a) must be read in combination with other laws and regulations that apply to consumer privacy. Under 23 NYCRR 500.17(a)(1), a Covered Entity must give notice to the Department of any Cybersecurity Event “of which notice is required to be provided to any government body, self-regulatory agency or any other supervisory body,” which includes many Cybersecurity Events that involve consumer harm, whether actual or potential. To offer just one example, New York’s information security breach and notification law requires notices to affected consumers and to certain government bodies following a data breach. Under 23 NYCRR 500.17(a)(1), when such a data breach constitutes a Cybersecurity Event, it must also be reported to the Department. In addition, under 23 NYCRR 500.17(a)(2), Cybersecurity Events must be reported to the Department if they “have a reasonable likelihood of materially harming any material part of the normal operation(s) of the Covered Entity.” To the extent a Cybersecurity Event involves material consumer harm, it is covered by this provision.

2. Is a Covered Entity required to give notice to consumers affected by a Cybersecurity Event? Yes. New York’s information security breach and notification law (General Business Law Section 899-aa), requires notice to consumers who have been affected by cybersecurity incidents. Further, under 23 NYCRR Part 500, a Covered Entity’s cybersecurity program and policy must address, to the extent applicable, consumer data privacy and other consumer protection issues. Additionally, Part 500 requires that Covered Entities address as part of their incident response plans external communications in the aftermath of a breach, which includes communication with affected customers. Thus, a Covered Entity’s cybersecurity program and policies will need to address notice to consumers in order to be consistent with the risk-based requirements of 23 NYCRR Part 500.

3. May a Covered Entity adopt portions of an Affiliate's cybersecurity program without adopting all of it? Yes. A Covered Entity may adopt an Affiliate's cybersecurity program in whole or in part, as long as the Covered Entity's overall cybersecurity program meets all requirements of 23 NYCRR Part 500. The Covered Entity remains responsible for full compliance with the requirements of 23 NYCRR Part 500. To the extent, a Covered Entity relies on an Affiliate's cybersecurity program in whole or in part, that program must be made available for examination by the Department.

20

20 Impact Makers, Inc. | 1707 Summit Avenue, Suite 201, Richmond, Virginia 23230 | info@impactmakers.com | www.impactmakers.com

4. May the certification requirement of 23 NYCRR 500.17(b) be met by an Affiliate? No. Each Covered Entity is required to annually certify its compliance with Part 500 as required by 23 NYCRR 500.17(b).

5. To the extent a Covered Entity uses an employee of an Affiliate as its Chief Information Security Officer ("CISO"), is the Covered Entity required to satisfy the requirements of 23 NYCRR 500.04(a)(2)-(3)? Yes. To the extent, a Covered Entity utilizes an employee of an Affiliate to serve as the Covered Entity's CISO for purposes of 23 NYCRR 500.04(a), the Affiliate is not considered a Third-Party Service Provider for purposes of 23 NYCRR 500.04(a)(2)-(3). However, the Covered Entity retains full responsibility for compliance with the requirements of 23 NYCRR Part 500 at all times, including ensuring that the CISO responsible for the Covered Entity is performing the duties consistent with this Part.

6. Are the DFS-authorized New York branches, agencies and representative offices of out-of-country foreign banks required to comply with 23 NYCRR Part 500? Yes. It is further noted that, in such cases, only the Information Systems supporting the branch, agency or representative office, and the Nonpublic Information of the branch, agency or representative office are subject to the applicable requirements of 23 NYCRR Part 500, whether through the branch's, agency's or representative office's development and implementation of its own cybersecurity program or through the adoption of an Affiliate's cybersecurity program.

7. Where interrelated requirements under 23 NYCRR Part 500 are subject to different transitional periods, when and to what extent are Covered Entities required to comply with currently applicable requirements that are impacted by separate requirements for which the applicable transitional period has not yet ended? Covered Entities have 180 days from the March 1, 2017, effective date to come into compliance with the requirements of 23 NYCRR Part 500 unless otherwise specified in 23 NYCRR 500.22. While complying with currently applicable requirements under the final rule, Covered Entities are generally not required to comply with, or incorporate into their cybersecurity programs, provisions of the regulation for which the applicable transitional period has not yet ended. For example, while Covered Entities will be required to have a cybersecurity program as well as policies and procedures in place by August 28, 2017, the Department recognizes that in some cases there may be updates and revisions thereafter that incorporate the results of a Risk Assessment later conducted, or other elements of Part 500 that are subject to longer transitional periods.

8. When is a Covered Entity required to certify compliance with all the requirements of 23 NYCRR 500?

Covered Entities are required to submit the first certification under 23 NYCRR 500.17(b) by February 15, 2018. This initial certification applies to and includes all requirements of 23 NYCRR Part 500 for which the applicable transitional period under 23 NYCRR 500.22 has terminated prior to February 15, 2018. Accordingly, Covered Entities will not be required to submit certification of compliance with the requirements of 23 NYCRR 500.04(b), 500.05, 500.06, 500.08, 500.09, 500.12, 500.13, 500.14 and 500.15 until February 15, 2019, and certification of compliance with 23 NYCRR 500.11 until February 15, 2020.

21

21 Impact Makers, Inc. | 1707 Summit Avenue, Suite 201, Richmond, Virginia 23230 | info@impactmakers.com | www.impactmakers.com

9. May a Covered Entity submit a certification under 23 NYCRR 500.17(b) if it is not yet in compliance with all applicable requirements of Part 500? No. The Department expects full compliance with this regulation. A Covered Entity may not submit a certification under 23 NYCRR 500.17(b) unless the Covered Entity is in compliance with all applicable requirements of Part 500 at the time of certification. To the extent, a particular requirement of Part 500 is subject to an ongoing transitional period under 23 NYCRR 500.22 at the time of certification, that requirement would not be consider applicable for purposes of a certification under 23 NYCRR 500.17(b).

10. What constitutes "continuous monitoring" for purposes of 23 NYCRR 500.05?

Effective continuous monitoring could be attained through a variety of technical and procedural tools, controls and systems. There is no specific technology that is required to be used to have an effective continuous monitoring program. Effective continuous monitoring generally has the ability to continuously, on an ongoing basis, detect changes or activities within a Covered Entity's Information Systems that may create or indicate the existence of cybersecurity vulnerabilities or malicious activity. In contrast, non-continuous monitoring of Information Systems, such as through periodic manual review of logs and firewall configurations, would not be considered to constitute "effective continuous monitoring" for purposes of 23 NYCRR 500.05.

11. When is a Covered Entity required to report a Cybersecurity Event under 23 NYCRR 500.17(a)?

23 NYCRR 500.17(a) requires Covered Entities to notify the superintendent of certain Cybersecurity Events as promptly as possible but in no event later than 72 hours from a determination that a reportable Cybersecurity Event has occurred. A Cybersecurity Event is reportable if it falls into at least one of the following categories:

o the Cybersecurity Event impacts the Covered Entity and notice of it is required to be provided to any government body, self-regulatory agency or any other supervisory body; or

o the Cybersecurity Event has a reasonable likelihood of materially harming any material part of the normal operation(s) of the Covered Entity.

An attack on a Covered Entity may constitute a reportable Cybersecurity Event even if the attack is not successful.

12. How should a Covered Entity submit Notices of Exemption, Certifications of Compliance and Notices of Cybersecurity Events? Cybersecurity Notices of Exemption should be filed electronically via the DFS Web Portal http://www.dfs.ny.gov/about/cybersecurity. You will first be prompted to create an account and log in to the DFS Web Portal, then directed to the filing interface. This account and portal will be used for future regulatory filings relating to cybersecurity, including Notices of Cybersecurity Events and Certifications of Compliance. At this time, Covered Entities should send all Notices of Cybersecurity Events to your normal supervisory staff within the Department. The DFS Web Portal will accommodate Notices of Cybersecurity Events and Certifications of Compliance shortly. Filings made through the DFS Web Portal are preferred to alternative filing mechanisms because the DFS Web Portal provides a secure reporting tool to facilitate compliance with the filing requirements of 23 NYCRR Part 500.

13. Can an entity be both a Covered Entity and a Third-Party Service Provider under 23 NYCRR Part 500? Yes. If an entity is both a Covered Entity and a Third-Party Service Provider, the entity is responsible for meeting the requirements of 23 NYCRR Part 500 as a Covered Entity.

22

22 Impact Makers, Inc. | 1707 Summit Avenue, Suite 201, Richmond, Virginia 23230 | info@impactmakers.com | www.impactmakers.com

14. What is required of Third-Party Service Providers in terms of implementing Multi-Factor Authentication and encryption when dealing with a Covered Entity? 23 NYCRR 500.11, among other things, generally requires a Covered Entity to develop and implement written policies and procedures designed to ensure the security of the Covered Entity's Information Systems and Nonpublic Information that are accessible to, or held by, Third Party Service Providers. 23 NYCRR 500.11(b) requires a Covered Entity to include in those policies and procedures guidelines, as applicable, addressing certain enumerated issues. Accordingly, 23 NYCRR 500.11(b) requires Covered Entities to make a risk assessment regarding the appropriate controls for Third Party Service Providers based on the individual facts and circumstances presented and does not create a one-size-fits-all solution.

23

23 Impact Makers, Inc. | 1707 Summit Avenue, Suite 201, Richmond, Virginia 23230 | info@impactmakers.com | www.impactmakers.com

Working with Impact Makers A Different Experience by Design – We are a management and technology consulting firm with 5 core practices eager to partner for your lasting success. IT Governance, Risk and Compliance (GRC) focuses on the disciplines for protection of IT assets and efficiency of IT operations. In turbulent times… like now, when cybersecurity is at the forefront, GRC strengthens compliance and overall security posture through the implementation of preventative controls. What are your organization’s mission and goals? Are IT risks understood by the business? Is your organization facing changes through mergers and/or acquisitions? Are there compliance requirements you must meet? Our approach begins with your business, takes a holistic risk-based approach to management of information security and protection against cybersecurity threats. We focus on establishing a sound security posture while reducing the cost of containment. Our services support business processes to enable the alignment of business with IT. Our management and technology consultants address the complexity of this area while balancing security with business needs and overall compliance. Our processes analyze threats, vulnerabilities and impact to determine important risk factors, then identify cost-effective mitigation strategies and establish ways to monitor ongoing progress.

How We Do This We combine a blend of best practices, industry frameworks and project management discipline. From strategy to risk management to security transformation, Impact Makers can help protect the confidentiality, integrity and availability of your organization’s valuable information assets.

Governance, Policies & Procedures

Risk Management

Security Controls

Mo

nito

rin

g

Vu

lne

rab

ility

Asse

ssm

en

t

Pe

ne

tra

tio

n T

esting

Se

cu

rity

Pro

cesse

s

Security Strategy

Kn

ow

ledg

e,

Skill

s &

Ab

ilities

Incid

en

t M

an

ag

em

ent

Bu

sin

ess C

on

tin

uity M

an

ag

em

en

t

Ide

ntity

& A

cce

ss M

an

ag

em

ent

So

ftw

are

Assu

rance

Th

ird

-Pa

rty R

isk

24

24 Impact Makers, Inc. | 1707 Summit Avenue, Suite 201, Richmond, Virginia 23230 | info@impactmakers.com | www.impactmakers.com

Impact Makers’ compliance services include the following:

• HIPAA Privacy, Security and Omnibus Rules

• HITRUST Self-Assessment Guidance

• Security Policies, Security Standards, and Audit Standards

• National Institute of Standards and Technology (NIST) Computer Security (800-53)

• Industry Specific “Best Practices”

• Reports and Metrics Guidance

• Compliance Assurance

Our GRC capabilities have garnered the following sample results for our clients.

Capabilities Results

Assessment & Compliance Services – Security Maturity, HIPPA, NIST 800-53, ISO 27001/2

A prioritized roadmap to deliver the most protection for the least investment as quickly as possible.

IT & Security Governance Services – CISO Services, IS Data Governance, IS Governance Structure Development, IS Policies and Procedures development

Expertise in knowing the right level of control to protect the organization while allowing the business to flourish.

Risk Management Services – Data Breach Remediation, Business Continuity Planning, Disaster Recovery Planning, Vulnerability Scanning

Focused, research-based approach to minimizing risks and enabling business results.

Execution Services – IS Program Implementation, GRC Process and Change Management, IT & Security Architecture Design and Development, Security Awareness and Training

Capacity and expertise when you need it to arrive at your desired security posture when you need to be there.

Contact Us We would like to help you address your security needs - helping you manage risk is our priority and mission.

Stam Xylas Lead Consultant

(201) 421-0171

sxylas@impactmakers.com

Cathie Brown VP of Governance, Risk & Compliance

(434) 665-0345

cbrown@impactmakers.com

Adam Foldenauer Financial Services Vertical Lead

(804) 814-5244

afoldenauer@impactmakers.com