providing a total data security / privacy solution. delivering … · 2019-07-25 · 23 nycrr 500...
TRANSCRIPT
Providing A Total Data Security / Privacy
Solution.
Delivering Peace of Mind.
A Dedicated Complete Cyber Security Consulting firm
offering Pre Breach and Audit Solutions serving the Challenging and Underserved CPA & SMB Market
NY CybersecurityRequirements for all Financial ServicesCompanies
3
WHAT REGULATION?
New York State
Department of Financial Services
23 NYCRR 500
WHY IMPORTANT TO CPAs
4
WHAT IS
CYBERSECURITY?
Computers
• Desktops
• Laptops
• Tablets
• Phones Networks
• Servers
• Firewalls
• Peripheral devices
• Internet of Things (IoT)
Data (at rest)
• On file servers
• On computer hard drives
• On backup or removable media
• In the Cloud
Data (in motion)
• Web, portals
• Networks, Wi‐ Fi
• Faxes
• Phones
5
How come this is very important to CPAs !
•Like HIPPA:•BUSINESS
ASSOCIATE
•3rd party Vendor
•Access to PII & Corporate Data
6
WHAT ARE THE OBJECTIVES OFCYBERSECURITY?
•DataConfidentiality
•DataIntegrity
•DataAvailability
7
POLL QUESTION No. 1 8
WHY DOES NEW YORK STATE
CARE?
• Ever‐growing cyber threat
• Privacy of NY consumers’ data
• Financial risk to covered entities
• Financial services industry is a significant target
9
NEW YORK STATE RECENT LAW
“The SHIELD ACT”
10
The “Stop Hacks
and Improve
Electronic
Data” Security
Act 2019
THE BIG QUESTION for
the SHIELD ACT?
Does the new regulations affect CPA?
YES
IF YOUR CLIENT IS A NEW YORK RESIDENT?
11
THE BIG 3 QUESTIONS?
1.Do the new DFS regulations affect me?
YES 3rd Part Vendor
2. How do I comply with the new regulations?
3. What happens if I do not comply?
12
DO THE NEW REGULATIONS AFFECT ME?
Regulations govern businesses governed by NYDFS
‐this includes:• Banks and Trust Companies
• Budget Planners
• Charitable Foundations
• Credit Unions
• Insurance Companies (health, life, P&C, Adjusters)
• Holding Companies
• Investment Companies
• Mortgage Bankers and Brokers
• “Third‐Party Service Providers” of any of the above businesses
13
• <10 employees
• <$5M gross annual revenue in each of last 3 years
• <$10M in year‐end total assets
• No non‐public information
Note: What if you go from exempt to non‐exempt?
DO THE NEW REGULATIONS AFFECT ME?
Partial exemptions for companies:
14
HOW DO I COMPLY WITH THE NEW REGULATION?
Two broad requirements:
1. Design and Implementation of Cybersecurity Program
2. Self‐Risk Profile Assessment
15
POLL QUESTION NO. 2 16
Reporting Requirements:
• Annual certification confirming compliance
• Report any act or attempt, successful or unsuccessful
• 72 hours to report cybersecurity event if:• Notice is required for any other agency or gov’t body, or
• Event has a “reasonable likelihood” of materially harming any material part of normal operations
HOW DO I COMPLY WITH THE NEW REGULATION?
17
HOW DO I COMPLY WITH THE NEW REGULATION?
Risk Assessment:
• Identify and assess both internal and external risks
• Defensive infrastructure, policies, and procedures to:
• Protect nonpublic information• Deal with any cybersecurity event
• Have a written, easily revisable policy, to protect information
• Approved by security officer or Board,• Addresses all aspects of cybersecurity
• Unique to your business
18
Multi‐Factor Authentication andEncryption:
•Multi‐factor authentication strongly encouraged in general
•Must be used for anyone externally accessing internal network
•Periodically and securely dispose of data
•Encrypt nonpublic information, whether at rest or transmitted
HOW DO I COMPLY WITH THE NEW REGULATION?
19
Cybersecurity Personnel, Penetration Testing, and Audit Trail:
• Designate CISO
• Do penetration monitoring and testing
• Audit trail limit user access appropriately
• Written procedures for evaluating and testing security of externally developed apps
• Qualified cybersecurity personnel to manage risks, and provide updates and training to other personnel
HOW DO I COMPLY WITH THE NEW REGULATION?
20
HOW DO I COMPLY WITH THE
NEW REGULATIONS
Section 500.10 Cybersecurity Personnel and Intelligence.
Cybersecurity Personnel and Intelligence. In addition to the requirements set forth in 500.04(a), each Covered Entity shall:
utilize qualified cybersecurity personnel of the Covered Entity, an Affiliate or a Third Party Service Provider sufficient to manage the Covered Entity’s cybersecurity risks and to perform or oversee the performance of the core cybersecurity functions specified in section 500.02(b)(1)-(6) of this Part;
provide cybersecurity personnel with cybersecurity updates and training sufficient to address relevant cybersecurity risks; and
verify that key cybersecurity personnel take steps to maintain current knowledge of changing cybersecurity threats and countermeasures.
21
HOW DO I COMPLY WITH THE
NEW REGULATIONS
Section 500.14 Training and Monitoring.
(a) As part of its cybersecurity program, each Covered Entity shall:
implement risk-based policies, procedures and controls designed to monitor the activity of Authorized Users and detect unauthorized access or use of, or tampering with, Nonpublic Information by such Authorized Users; and
provide for regular cybersecurity awareness training for all personnel that is updated to reflect risks identified by the Covered Entity in its Risk Assessment.
THIRD‐PARTY SERVICE PROVIDERS
•Annual written policies and procedures that ensure that all data you protect or hold is kept secure
•Maintain minimum standards
•Periodically update risk assessment for thethird‐party•Provide guidelines for access controls, use of
encryption and notice of any cybersecurity event
23
POLL QUESTION NO. 3 24
A NOTE ABOUT INSURANCE
• Cyber/data privacy insurance
•Directors & Officers Insurance – failure to develop proper procedures or report on time?• Errors and omissions – failure to develop an adequate
response plan, failure to properly train, failure to develop procedures?
25
WHAT HAPPENS IF I
DON’T COMPLY?• Not much guidance on enforcement
• “The regulation will be enforced by the superintendent pursuant to, and is not intended to limit, the superintendent’s authority under any applicable laws”
26
• Determine if you are eligible for a limited exemption
• Self‐assess your compliance status
• Unless already in compliance –
• Undertake a formal gap assessment
• Remediate compliance gaps
• File annual attestations
• Adhere to your policies and procedures
• Repeat
WHAT DO I DO NOW? 27
23 NYCRR 500
CRITICAL DATES
March 1, 2017Effective Date ‐ NYS Cybersecurity Regulations became effective (23 NYCRR Part 500)
August 28, 2017Deadline for Compliance ‐ Covered Entities are required to be in compliance with the requirements of 23 NYCRR Part 500, unless otherwise specified
September 27,2017
Deadline for Exemption Notice – Covered Entities that qualify for a limited exemption must file a Notice of Exemption by this date.
February 15, 2018Deadline for 1st Annual Certification Submission – Covered Entities are required to file their 1st Certification of Compliance by this date.
March 1, 2018
1 Year Transitional Period Ends – Covered Entities are required to be in compliancewith the requirements of section 500.04(b), 500.05, 500.09, 500.12, and 500.14(b)of 23 NYCRR Part 500 (see regulations document for details of the sections above)
September 3, 2018
18 Month Transitional Period Ends ‐ Covered Entities are required to be in compliance with the requirements of section 500.06, 500.08, 500.13, 500.14(a), and500.15 of 23 NYCRR Part 500 (see regulations document for details of the sections above)
February 15, 2019Deadline for 2nd Annual Certification Submission– Covered Entities are required to file their 2nd Certification of Compliance by this date.
March 1, 2019Deadline for Full Compliance for All – Covered Entities are required to be fully compliant with the requirements of 23 NYCRR Part 500
28
New York State Resources
WWW.DFS.NY.GOV/LEGAL/REGULATIONS/ADOPTIONS/DFSRF500TXT.PDF
WWW.DFS.NY.GOV/ABOUT/WHOWESUPERVISE.HTM
QUESTIONS ?
30
CONTACT
ALAN HEYMAN
TEL: 917-833-6591
FREE ONE HOUR CONSULTATION
Requirements for Financial Services Companies NY Cybersecurity Law