Internal Audit, Risk, Business & Technology Consulting
Decoding NYDFS Part 500
Meeting the Challenges of New York’s Cybersecurity Regulations
Decoding NYDFS Part 500 · 1protiviti.com
The New York Department of Financial Services’ (NYDFS) Part 500, Cybersecurity Requirements for
Financial Services Companies, went into effect on March 1, 2017.1 When the guidelines were first
proposed, New York Governor Andrew Cuomo said that they were designed to “help guarantee
the financial services industry upholds its obligation to protect consumers and ensure that its
systems are sufficiently constructed to prevent cyber attacks to the fullest extent possible.”
NYDFS Part 500 applies to all “covered entities,” which
includes all banking organizations, insurance companies,
money services businesses and other firms operating in
New York under the authorization of the Banking Law,
the Insurance Law, and the Financial Services Law.
The department is seeking to cast a wider net with
these requirements to extend beyond the financial sector
and the entities under their control to boost cybersecurity
protection and preparedness within the financial and
corporate sectors as well among as their vendors.
Covered entities are required to develop and maintain
effective cybersecurity programs and to certify annually
to the NYDFS that they are meeting the requirements
of the regulations. Many organizations are struggling
with the practical compliance challenges in core
areas, including: the risk assessment, definitions of
compensating controls and materiality, compliance
deadlines, and the certification process.
In this paper, three Protiviti experts — managing
director, Adam Hamm, former president of the National
Association of Insurance Commissioners (NAIC) and
former chairman of its Cybersecurity Task Force;
managing director Cal Slemp, who leads the security
and privacy solutions consulting business globally;
and Andrew Retrum, managing director in the financial
services industry technology consulting practice —
provide some practical guidance on how firms can
approach each of these areas to ensure compliance.
Introduction
Covered entities include the following, among others, chartered or licensed by the DFS:
• Insured depository institutions
• Branches, agencies or offices of non-U.S. banks
• Insurance companies
• Trust companies
• Credit unions
• Check cashers
• Money transmitters
• Institutions with BitLicenses
• Mortgage brokers
Not covered entities
• National banks or banks chartered in other states, including their New York branches
• Federal credit unions
• Broker-dealers
• OCC-chartered branches and agencies of non-U.S. banks
• An affiliate of a covered entity that is not itself a covered entity
1 www.dfs.ny.gov/about/press/pr1702161.htm.
DFS Part 500 — Applicability
2 · Protiviti
Key Messages
As the linchpin of the entire cybersecurity compliance program, the risk assessment is of prime importance and
as such is the primary focus of this paper, which also provides advice for firms on compliance definitions and
deadlines as well as the certification process. The key messages include:
01With the deadline of March 1, 2018 fast approaching, firms are advised to ensure the risk assessment is given
appropriate attention. This paper introduces a methodology, based on industry-accepted frameworks, that
details all of the required steps firms need to take to conduct a comprehensive and compliant risk assessment.
02NYDFS Part 500 has many requirements with a series of tiered deadlines for compliance, which overlap and can
be confusing. Organizations are advised to plan carefully to ensure they implement all of the requirements in
good time but also in the correct order to maximize efficiencies.
03To allow companies to tell the story of NYDFS cyber compliance to examiners, they should establish clear
viewpoints to help them manage the scope of the requirements, which includes clarifying how certain terms
used in the requirements have been interpreted for their organization.
04Because a board member or senior official will have to certify the organization meets all of the requirements of
the regulation, it is imperative that the team driving cybersecurity quickly establishes what criteria, information
and/or metrics the board will want to see to satisfy compliance requirements.
The language used by the NYDFS shows that the intent of the regulation is for firms to conduct a holistic and
thoroughly documented security risk assessment, unique to every covered entity, which will guide compliance
efforts with almost every other component of the regulation.
Decoding NYDFS Part 500 · 3protiviti.com
The Risk Assessment
Each Covered Entity shall conduct a periodic risk assessment of the covered entity’s information systems sufficient
to inform the design of the cybersecurity program. This risk assessment shall allow for revision of controls to respond
to technological developments and evolving threats related to cybersecurity, nonpublic information collected or
stored, and the effectiveness of controls to protect nonpublic information.”
— NYDFS Regulation – Part 500, Section 500.09
The NYDFS cybersecurity regulations cover a broad
range of topics, including multi-factor identification,
incident response plans and cybersecurity policies.
The depth and breadth of their implementation
is ultimately derived from the risk assessment
component of the regulation. Every covered entity is
expected to perform and document an enterprisewide
security risk assessment to identify its exposure to
cyber vulnerabilities and the impact from potential
cyber events. These risks should reflect the impact
from a business and a technology perspective. Once
these are established, a thoughtful evaluation can
be made regarding policies, procedures and controls
that need to be put in place to reduce or mitigate the
identified risks.
NYDFS Section 500.09(b) specifically requires the
risk assessment to be carried out in accordance with
an organization’s written policies and procedures,
which need to include:
• Criteria for the evaluation and categorization of
identified cybersecurity risks or threats facing the
covered entity.
• Criteria for the assessment of the confidentiality,
integrity, security and availability of the covered
entity’s information systems and nonpublic
information, including the adequacy of existing
controls in the context of identified risks.
• Requirements describing how identified risks
will be mitigated or accepted based on the risk
assessment and how the cybersecurity program
will address the risks.
The risk assessment requirement provides the
foundation for an organization’s cybersecurity
program, and, based on our observations in the
marketplace, this will be where some of the largest
gaps exist in firms’ preparedness for Part 500.
NYDFS examiners will expect firms to have conducted
a thorough review of their risks and sufficiently
justified and documented their related actions.
Many organizations may seek to rely on previously
completed risk-based work — as an example, work
done in an individual business unit that is expanded
to include the entire organization in an effort to
help speed up the risk assessment process. But
the language used by the NYDFS shows that the
intent of the regulation is for firms to conduct a
holistic and thoroughly documented security risk
assessment, unique to every covered entity, that will
guide compliance efforts with almost every other
component of the regulation. The risk assessment
process is also reoccurring, as opposed to a single
or occasional event. Companies are starting to realize
just how much work is necessary to complete a
successful risk assessment within the required
time frame.
A successful risk assessment process relies on the
organization employing a certain level of granularity.
This should provide the firm with good cybersecurity
coverage but not overwhelm the security and risk
teams by identifying too many different assets that are
tied to many different risks, which can overcomplicate
the program. Done incorrectly, the risk assessment
process could result in outputs that are not actionable
4 · Protiviti
by the organization, or it could potentially run on
forever. It is essential for firms to have a more
thoughtful approach about how they conduct their
risk assessment to ensure it provides a comprehensive
view across the risks present in the enterprise but
identifies actions that can be completed in a reasonably
short time frame. Ultimately, the risk assessment
should be used as a foundation to justify the actions
firms are taking that are consistent with the risks
they have identified. If they haven’t already done
so, firms need to start on their risk assessment
immediately, to determine their processes, their
conclusions, and how expansive and holistic their
cybersecurity program needs to be.
Protiviti has developed a high-level methodology for
firms embarking on their risk assessment process,
which is customizable to cater to the specific envi-
ronment and needs of an organization.
High-Level Overview
Key Activities Sample Artifacts
Identify & Rank Assets
Asset Criticality Threat Severity Inherent Risk Risk-Control Mapping Residual Risk
Identify & Assess Threats
Align Threats to Assets
Map Threats to Mitigating Controls
Determine Control Effectiveness
Identify & Rank Assets• Establish an appropriate and defensible asset inventory
• Formalize asset criticality based on methodology
• Application Inventory• Infrastructure Diagrams• Vendor Catalog• Physical Locations
Identify & Assess Threats• Apply threat actor scenarios to organization to catalogue unique threats
• Probe organization for unique threats unique to business environment
or technology
• Assess threats for inherent severity
• Product Offerings• Business Roadmap• Technology Roadmap• Political Involvement
Risk-Control Mapping• Align threats to inherently vulnerable assets
• Calculate inherent risk based upon threat severity and asset criticality
• Map mitigating controls to inherent risk scenarios
• Risk Appetite• ITRM Policies• Risk Register• Control Catalog
Determine Control Effectiveness• Identify mitigating controls in the organization’s environment
• Assess the control for design and operating effectiveness
• Calculate residual risk based upon inherent risk scenarios and mitigating
control effectiveness
• ITRM Policies & Procedures• Process Flows• Evidence of Compliance
Assessment Approach & Activities
Decoding NYDFS Part 500 · 5protiviti.com
NYDFS Part 500 has a number of compliance deadlines
at regular intervals spanning the next two years. From
August 28, 2017, firms need to have developed and
put in place a risk-based cybersecurity program,
cybersecurity policies and an incident response plan.
The risk assessment must be completed by March 1,
2018; however, the first certification deadline is February
15, 2018. The order of the deadlines has confused some
firms, since the cybersecurity program and policies
need to be developed before the deadline for the risk
assessment, which arguably needs to be completed (or
be well on its way to completion) first to feed into the
cybersecurity program and the incident response plan.
Although these dates seem confusing and contradictory,
the regulators are suggesting that even though the
compliance deadlines are past the first certification
date, companies will need to be at an almost complete
stage well ahead of the February 15, 2018 certification
deadline. The transition periods have been built into
the rules to ensure firms are complying with the letter
and the spirit of the regulations to such an extent
so that the person signing the certification can state
that the company is in compliance to the best of its
knowledge on that date (refer to the section below on
certification and process). In short, whomever signs
that document dated February 15, 2018 following a
review of the company’s progress to that point, will
need to be comfortable that they are in compliance or
are well on the way to being in compliance with every
section that is due by the March 1, 2018 deadline.
Meeting the Deadlines
The following tables set out the individual action items by order of their compliance deadlines.
Effective August 28, 2017 Requirements
500.02 Cybersecurity ProgramDevelop and maintain a risk-based cybersecurity program designed to identify internal and external risks; use defensive infrastructure and policies and procedures to protect information systems and nonpublic information; and detect, respond to, recover from and report cyber events.
500.03 Cybersecurity Policy
Develop and maintain a risk-based cybersecurity policy that addresses: information security, data governance and classification, asset inventory and device management, access controls and identity management, business continuity and disaster recovery, systems operations and availability concerns, systems and network security, systems and network monitoring, systems and application development and quality assurance, physical security and environmental controls, customer data privacy, vendor and third-party service provider management, risk assessment and incident response.
500.04 (a) Chief Information
Security Officer
Appoint qualified party responsible for overseeing the cybersecurity program, which may be a third-party service provider or affiliate.
500.07 Access Privileges Establish limits, which are periodically re-evaluated, on user access to nonpublic information.
500.10 Cybersecurity Personnel
and Intelligence
Employ qualified individuals to oversee and execute the cybersecurity program; provide training to cybersecurity personnel; and verify that cybersecurity personnel stay current on cyber threats and countermeasures.
Continued…
6 · Protiviti
500.16 Incident Response Plan
Develop and maintain a written incident response plan that includes internal processes for responding to a cybersecurity event; goals of the incident response plan; delineation of roles and responsibilities; external and internal communications and information sharing; identification and remediation of any weaknesses in information systems and associated controls; documentation and reporting of cybersecurity events and incident response activities; evaluation and revision; as necessary, of the incident response program.
500.17 Notices
to the Superintendent
• Within 72 hours of a determination of a cybersecurity event, a covered entity shall notify the superintendent if notification of the event is required to be provided to any government body, self-regulatory agency or any other supervisory body and/or if the cyber event has a reasonable likelihood of materially harming any material part of normal operations.
• Annually, by February 15 of each year, submit a written statement from a senior officer(s) or the board of directors, covering the prior calendar year certifying that the covered entity is in compliance with Part 500.
• Document any self-identified areas, systems, or processes that require material improvement, updating or redesign along with planned remediation and make such information available to the NYDFS.
First certification due February 15, 2018
Effective March 1, 2018 Requirements
500.04 (b) Annual Report
of the CISO
Written annual report by the CISO to the board of directors or equivalent body on the institution’s cybersecurity program that shall consider, to the extent applicable, confidentiality of nonpublic information and integrity and security of information systems; cybersecurity policies and procedures; material cybersecurity risks; overall effectiveness of the cybersecurity program; and material cybersecurity events during the reporting period.
500.05 Pen Testing and
Vulnerability Assessments
Annual risk-based penetration testing and risk-based biannual vulnerability assessments, including systematic scans or reviews of information systems designed to identify publicly known cyber vulnerabilities.
500.09 Risk Assessment
Periodic risk assessment carried out in accordance with written policies and procedures that shall include: criteria for evaluation and categorization of cyber risks and threats; criteria for the assessment of confidentiality, integrity, security, and availability of nonpublic information, including the adequacy of associated controls; and requirements describing how risks will be mitigated or accepted and how the cybersecurity program will address these risks.
500.12 Multi-Factor
Authentication
Risk-based controls for protecting against unauthorized access to nonpublic information and information systems, which shall include multi-factor authentication or an equivalent method approved by the CISO in writing for individuals accessing internal networks from an external network.
500.14 (b) Cybersecurity
Awareness TrainingRegular, risk-based cybersecurity awareness training for all personnel.
Continued…
Decoding NYDFS Part 500 · 7protiviti.com
Effective September 3, 2018 Requirements
500.06 Audit Trail
Maintenance of systems, to the extent applicable and based on the risk assessment, that: (a) are designed to reconstruct material financial transactions sufficient to support normal operations and obligations of the entity; and (b) include audit trails designed to detect and respond to cyber events that have a reasonable likelihood of materially harming any material part of normal operations. Record retention period for (a) is five years and for (b) not fewer than three years.
500.08 Application SecurityWritten procedures, guidelines, and standards, subject to periodic review and updating by the CISO or qualified designee, designed to ensure the use of secure development practices for in-house developed applications and procedures for assessing and testing the security of externally developed applications.
500.13 Limitations on
Data Retention
Written policies and procedures for the secure disposal on a periodic basis of nonpublic information no longer needed, except where prohibited by law or regulation, or not feasible due to the manner in which information is maintained.
500.14 (a) Monitoring of
Authorized Users
Risk-based policies, procedures, and controls designed to monitor activity of authorized users and detect unauthorized access or tampering.
500.15 Encryption of
Nonpublic Information
Encryption of both in transit and at rest nonpublic information or, if not deemed feasible, an alternative method of protection/compensation controls which must be reviewed annually and approved by the CISO.
Effective March 1, 2019 Requirements
500.11 Third-Party Service
Provider Security Policy
Written risk-based policies and procedures designed to ensure security of information systems and nonpublic information that are accessible to or held by third-party service providers, which shall address, to the extent applicable, identification and risk assessment of third-party service providers; minimum cybersecurity practices to be met by third-party service providers; due diligence used to evaluate practices of third-party service providers; and periodic risk-based assessment of third-party service providers.
Such policies and procedures shall include: the third-party service provider’s own policies and procedures for access controls, including the use of multi-factor authentication; the third-party service provider’s procedures for encryption; notice requirements imposed on the third party in the event of a cyber event; representations and warranties provided by the third-party service provider relating to the protection of information systems and nonpublic information. To the extent that an agent, employee, or representative of a covered entity is a third-party service provider is itself covered by DFS Part 500, then a third-party service provider security policy is not required.
8 · Protiviti
There is little guidance provided in some sections of
the NYDFS Part 500 regulations, which has resulted
in confusion about the meaning of certain words.
Foremost are the use of the terms “material” and
“materially” throughout the document, as well as
what constitutes “compensating controls.”
The terms “material” and “materially” are used in
five different sections of the regulations but they
are currently undefined by the regulator. Covered
entities are debating how broad or how narrow those
terms can be applied. For example, in the Audit
Trail section of the regulation (500.06), one of the
requirements is for companies to keep records and
documents “designed to reconstruct material financial
transactions sufficient to support normal operations
and obligations of the covered entity.” A firm’s
determination on how expansively to view the term
“material” will govern its logging and retention of
data as it relates to this specific requirement.
A further example is the Notices section of the
regulation (500.17), which requires firms to give notice
to the superintendent of the NYDFS when certain
triggering events occur. One portion states that a
covered entity needs to notify the NYDFS anytime
there is a cybersecurity event that has a “reasonable
likelihood of materially harming any material part of
the normal operation(s) of” the covered entity.
In order to show compliance with the requirements,
firms will need to define how they have interpreted the
terms for their organization. The chosen interpretation
of these terms should allow flexibility in the practical
application of the rules, both in methods and coverage,
which cater to the risk thresholds of the organization.
The reference to “compensating controls” is causing
similar debate among covered entities. One specific
example concerns the use of multi-factor authentication
(MFA) to secure nonpublic information. Not all firms
use MFA, so the regulation allows companies to use
“effective alternative compensating controls” that have
been reviewed and approved by the covered entity’s chief
information security officer (CISO). The onus here is on
the company to use empirical evidence to demonstrate
to the regulators and the CISO that the chosen compen-
sating controls are both reasonable and effective as they
relate to the specific control being sought by the regula-
tion. The lack of specificity allows flexibility; but the lack
of clarity also makes certification less certain.
Due to the implication and impact of these (and other)
definitions, it is our view that covered entities review
their conclusions with experts of this regulation prior
to certification.
Definitions
Decoding NYDFS Part 500 · 9protiviti.com
From February 15, 2018 forward, every NYDFS-covered
entity must certify annually in a written statement
that for the preceding calendar year, the company’s
cybersecurity program complies with NYDFS Part 500.
The statement should be signed by a senior officer
or by the company’s board of directors and should
state that they have reviewed documents, reports,
certifications and opinions of such officers, employees,
representatives, outside vendors and other individuals
or entities as necessary to be able to certify the
company’s compliance to the best of their knowledge.
Firms also need to document any self-identified
areas, systems, or processes that require material
improvement, updating or redesign along with planned
remediation and make such information available to
the NYDFS (Section 500.17(b)).
The main concern here is the need for an individual,
or group of individuals at the board level, to personally
attest to the firm’s compliance, without clear indication
of the implications if the regulators subsequently
find any issues. This is why issues such as definitions
around “material” and “compensating controls”
are causing so much industry debate, because the
individuals who are signing the certification document
will need to consider carefully how much written
evidence and documentation they will need to review
to be able to honestly attest to the firm’s compliance.
In addition to the certification statement, covered
entities are required to keep appropriate documentation
to support the certification. Firms are required to
maintain for examination by the NYDFS all records,
schedules and data supporting the annual certificate for a
period of five years. The company must also document
all remedial efforts, planned and underway, concerning
areas, systems or processes that have been identified
in the certification that require material improvement,
updating or redesign, and this documentation must
be available for inspection by the superintendent.
The NYDFS regulators will be looking for the processes
firms have used throughout the entire program from
the foundational, holistic risk assessment to reporting
evidence to the board and senior management to support
the attestation process. The intention is for this process
to form part of an ongoing communication effort that
is built into the cybersecurity program to support
continuous interrogation and monitoring from the top.
An essential skill for firms to master will be
determining the level of complexity and detail
to keep packaged up and ready to share with the
examiners. Firms need to provide information that is
straightforward and adequate to establish compliance.
Storing and maintaining records — much of which
will contain sensitive information — for five years
is cumbersome and expensive; determining the
complexity and detail required to satisfy compliance
with the letter and the spirit of the regulations is an
essential task for companies to master early on in the
process. Deciding which records to maintain at this
early stage in the implementation process is difficult,
however, especially ahead of any formal examinations.
Certification and Process
The NYDFS regulators will be looking for the processes firms have used throughout the entire program from the
foundational, holistic risk assessment to reporting evidence to the board and senior management to support the
attestation process.
10 · Protiviti
The risk assessment is foundational to the NYDFS
cybersecurity regulations, which will require expertise
to execute and balance between aligning the program
to risk, and addressing the expectations of the
regulators. Appropriate attention should be given to
this requirement. Firms should be well on the way
to completing the risk assessment by this time in
order to meet the other large compliance deadlines
of implementing their cybersecurity policies and
programs as well as finalizing their incident response
plans ahead of the first certification deadline.
The various deadlines set out in the requirements can be
confusing but by completing the risk assessment piece,
firms can create their own roadmaps for compliance
that meet all of the tiered dates for compliance.
The language used in the NYDFS Part 500 requirements
has created some ambiguity over the meaning of certain
terms, specifically “material” and “compensating
controls.” In the absence of any further guidance from
the NYDFS, and to allow companies to “tell the story”
of NYDFS cyber compliance, they should establish clear
viewpoints to help clarify how certain terms have been
interpreted for their organization.
The individual, or group of individuals at the board
level, charged with personally attesting to the firm’s
compliance with the cybersecurity regulations, must
be able to review sufficient written evidence and
documentation to allow them to properly certify the
firm’s compliance. To do this effectively, entities need
to ensure record keeping and continuous monitoring
of the firm’s implementation of its cybersecurity
program and its ongoing maintenance.
Final Thoughts
Decoding NYDFS Part 500 · 11protiviti.com
ABOUT PROTIVITI
Protiviti is a global consulting firm that delivers deep expertise, objective insights, a tailored approach and unparalleled collaboration to help leaders confidently face the future. Protiviti and our independently owned Member Firms provide consulting solutions in finance, technology, operations, data, analytics, governance, risk and internal audit to our clients through our network of more than 70 offices in over 20 countries.
We have served more than 60 percent of Fortune 1000® and 35 percent of Fortune Global 500® companies. We also work with smaller, growing companies, including those looking to go public, as well as with government agencies. Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index.
Contacts
Adam Hamm Managing [email protected]
Cal SlempManaging [email protected]
Andrew RetrumManaging [email protected]
Scott Laliberte Managing Director +1.267.256.8825 [email protected]
© 2017 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. PRO-0817-103109 Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services.
THE AMERICAS UNITED STATES
Alexandria
Atlanta
Baltimore
Boston
Charlotte
Chicago
Cincinnati
Cleveland
Dallas
Fort Lauderdale
Houston
Indianapolis
Kansas City
Los Angeles
Milwaukee
Minneapolis
New York
Orlando
Philadelphia
Phoenix
Pittsburgh
Portland
Richmond
Sacramento
Salt Lake City
San Francisco
San Jose
Seattle
Stamford
St. Louis
Tampa
Washington, D.C.
Winchester
Woodbridge
ARGENTINA*
Buenos Aires
BRAZIL*
Rio de Janeiro Sao Paulo
CANADA
Kitchener-Waterloo Toronto
CHILE*
Santiago
MEXICO*
Mexico City
PERU*
Lima
VENEZUELA*
Caracas
EUROPE MIDDLE EAST AFRICA
FRANCE
Paris
GERMANY
Frankfurt
Munich
ITALY
Milan
Rome
Turin
NETHERLANDS
Amsterdam
UNITED KINGDOM
London
BAHRAIN*
Manama
KUWAIT*
Kuwait City
OMAN*
Muscat
QATAR*
Doha
SAUDI ARABIA*
Riyadh
SOUTH AFRICA*
Johannesburg
UNITED ARAB EMIRATES*
Abu Dhabi
Dubai
ASIA-PACIFIC CHINA
Beijing
Hong Kong
Shanghai
Shenzhen
JAPAN
Osaka
Tokyo
SINGAPORE
Singapore
INDIA*
Bangalore
Hyderabad
Kolkata
Mumbai
New Delhi
AUSTRALIA
Brisbane
Canberra
Melbourne
Sydney
*MEMBER FIRM
© 2
01
5 P
roti
viti
In
c. A
n E
qu
al O
pp
ort
un
ity
Emp
loye
r. M
/F/D
isab
ilit
y/Ve
t. P
RO
-05
15