23 NYCRR500

safeguarding your dataThe Cybersecurity Insider

FREE REPORT

REPORT HIGHLIGHTSWho Must Comply

How It WorksCybersec urity Program

Effec tive & Compliance Dates

By: Y igal Behar

safeguarding your data

23 NYCRR 500 UPDATE

1 - 6

As of December 2016, the New York State Department of Financial Services (DFS) has established a new cyber security regulation in direct response to the increasing number of attempts by cyber crimi-nals to gain access to valuable data. Since the financial services industry has been a particular target of such cyber-attacks, this measure is considered essential for establishing standards of cyber security for all agencies within the DFS.

Known as 'Cybersecurity Requirements for Financial Services Compa-nies', or 23 NYCRR 500, it is considered to be the first regulation of its k ind in the US to establish 16 minimum standards for cyber security compliance. I t allows for an 18-month transition period, during which the more than 4,000 agencies under DFS jurisdiction must create written procedures and policies, and enforce them, to demon-strate compliance with the standards set forth in the document.

This report will outline the changes which must be implemented, relative to how you conduct business, in order to be in compliance with the directives issued in 23 NYCRR 500. Three important points will be addressed, the first of which is who exactly needs to comply with the regulation. Next, there will be a discussion of what must be known before compliance efforts are begun, so that time is not wasted and the 18-month transition window can be adhered to. Lastly, this report will provide an option for enlisting the aid of pro-fessional security experts in order to achieve the required standards set forth in the new regulation.

ABOUT

Three impor tant points will be addressed,

the first of which is who exactly needs to

comply with the regulation.

WHO MUST COMPLY WITH 23 NYCRR 500? The regulation requires compliance of its 16 minimum standards by all agencies, companies, and other bodies which it refers to internally as 'cov-ered entities', and it defines the meaning of that term in Section 500.01 Definitions: "Any person operating under, or required to operate under a l icense, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law."

It goes on to say that any such agency is free to adopt the cyber security policy of its affiliate company, as long as all 16 points of the regulation are covered in doing so. This also includes all DFS-authorized New York branch-es, agencies, and representative offices of foreign banks, as their Informa-tion Systems departments conduct their operations.

1

2 - 6

ALL entities regulated by the Department of Financial Services (DFS)

BUT limited exemption applies to covered entities with:

Fewer than 10 employees

(including independent contractors)

OR

Less than 10 million in

year-end total assets

OR

ALSOLess than 5 million in gross

revenue

OR

Employees, agents, representatives or designees

of a covered entity

A covered entity that does

not directly or indirectly

operate, maintain, utilize or

control any information

systems

If you qualify for the limited exemption,

you must file a notice with the DFS. In

the event you cease to qualify as of most

recent fiscal year end, you then have 180

days from fiscal year end to comply.AND

3 - 6

WHAT YOU NEED TO KNOW Prior to 23 NYCRR 500, risk assessment was strongly recommended for finan-cial institutions or 'covered entities', as part of their cyber security policies, but under the terms of the new regulation, that risk assessment is now a requirement, and must be used to identify gaps in the security program, so that steps can be taken to remediate any shortcomings. Section 500.09 specifically mandates that all covered entities must conduct risk assess-ments periodically, during which the overall cyber security program is to be evaluated in terms of its hardware and software, procedures and policies, and practices of third-party providers with whom it conducts business.

The whole point of 23 NYCRR 500 is to protect non-public information from unauthorized access by using advanced security measurements and authen-tication procedures which rely on both anomaly detection and discrepancies in normal use patterns. The term used to cover this is 'risk-based authentica-tion', and by requiring multiple forms of verification, it is thought that unau-thorized access will be vir tually eliminated.

The three forms of authentication specifically recommended fall into the categories of knowledge factors, possession factors, and biometric factors. Knowledge factors include pieces of information that only employees would know, for instance passwords, possession factors are items which might take the form of a cell phone text message or some kind of token, and inheri-tance factors include one or more types of biometric characteristics. These can be traditional fingerprint scans or retinal scans, as well as any other regularly per formed actions that uniquely identify an individual, and are vir tually impossible to reproduce by another person.2

C YBERSECURIT Y PROGRAM The cyber security program is to be based upon this risk assessment, and must include all the following ingredients:

• Risk Identification - risks must be identified by preforming a risk assess- ment and assessed if they relevant to the entity which may threaten the security of data considered to be non-public in nature.

• Policies And Procedures – these documents will be written based on the relevant threats identified in the risk assessment and will govern the pro- tection of non-public information.

• Defensive Measures - any and all possible defensive measures must be adopted and used to protect the covered entity's sensitive data.

• Event Detection - all cyber security events must be detected by measures in place at the installation.

• Incident Response - detected events must be responded to with all possi- ble haste to minimize any negative impacts from the intrusion.

• Intrusion Recovery - plans must be in place for recovery from unautho- rized intrusion, so normal operations can be restored as fast as possible.

• Reporting - procedures must be in place to satisfy all required reporting obligations. 3

4 - 6

5 - 6

EFFEC TIVE & COMPLIANCE DATES The transition period compliance dates and the specific points which must be complied with by those dates are as follows:4

Regulationeffective date:March 1, 2017

Transitional periods for each part of the regulation

August 28,2017

February 15,2018

March 1,2018

September 3,2018

March 1,2019

Exempted Agencies At Minimum Must Comply:

Agencies Who Do NOT Qualify For Limited Exemption In-Addition Will Need To Meet The Following:

Maintain cybersecurity program

File Notice of Exemption with Superintendent

Submit annual certification of compliance to Superintendent

Implement written policies and procedures to ensure security of nonpublic information

Notify Superintendent of cybersecurity events as required

Limit user access privileges as part of cybersecurity program

Implement & maintain cybersecurity policy

Designate Chief Information Security Officer CISO

Conduct annual penetration testing

Annual penetration testing and bi-annual vulnerability assessments

CISO must provide annual report to board or governing body of agency

Establish a written incident response plan

Utilize qualified cybersecurity personnel

Multi-factor authentication if needed to protect against unauthorized

access to its information systems Monitor authorized users by using policies, procedures, and controls to detect

unauthorized access of data by authorized or in-house users.

Encryption of data both in transit over external networks and at rest

Establish procedures, guidelines and standards for development of in-house developed applications

Establish audit trails must be established for the detection and prevention of

cyber security events

Provide regular cybersecurity awareness training for all personnel

Sophisticated cyber-attacks are becoming more common by the day, with small businesses proving to be the preferred target of cyber criminals. We know that keeping up with the latest cyber threats isn' t easy and that technology alone can easily fail at safeguarding your data. Unlike many other IT companies where security is just one part of what they do, at 2Secure, securing your data assets and computer networks of our clients is our sole focus.

Founded by Yigal Behar in 2004, 2Secure Corp has been serving banks, hedge funds, and private companies for more than 15 years. With experience in auditing and testing the computer networks against Cyberthreats for over 125 local businesses of all shapes and sizes, we've become the go-to trusted experts on how to proactively secure small business networks and to reactively secure networks that have already been breached.

Our CEO and Lead Cybersecurity Consultant, Yigal, has expe-rience working as a cyber security consultant for Avnet Deloitte & Touche LTD. He's worked in Israel for various governmental agencies, such as the Social Security Adminis-tration, the Israel Prime Minster O�ce, banks, and other private companies.

Company Pro�le

• Protection Detection & Respond - PDR Services• MalwareArmour - Malware Endpoint Protection Software - Patent Pending• Cybersecurity Readiness and Assessments• Malware Attack Simulation - MAS• Security Education & Awareness Training

Produc ts and S er vices

1 100% Security Focused.

While most other IT companies try to be everything to everyone, we focus solely on IT security for small to midsize businesses (the preferred target for hackers and Cyberthieves).

2 Depth Of Real World

Security Expertise.

2Secure has been called on by hundreds of local business to either audit their security readi-ness, provide education and awareness training, or provide stealth penetration testing.

3 Flexible Engagements.

While other companies force you into a long term contract before working with you, we o�er �exible engagements. Whether you’re looking for particular security testing or a long-term IT partner to secure your data assets and network, we have options.

3 Big Reasons SMB Businesses S elec t

2S ec ure To M anage Their

Network S ec urity:

Our portfolio combines small to midsize companies that have many common challenges when it comes to Cybersecurity ; small or big, we all look for peace-of-mind knowing our data is kept safe. We provide them with various services such as penetration testing, network security assessments and managed security.

Some of the current clients that have agreed for us to share their name include:

Southern Connecticut State University | Mercy College Polish & Slavic Federal Credit Union | Imaginer Technologies | PKF O’Connor Davies.LLP

Advanced Funds Network, LCC | Business Credit & Capital | Alpha-En Corporation

S ome O f The C l ients We Work With Include…

safeguarding your dataThe Cybersecurity Insider

I t is the smallest things that can do the most damage. In the realm of security there is no greater asset than someone who can protect you from the things you didn’t even know existed. 2Secure Corp does an amazing job at keeping our operations safe and secure , at a price that works for us. Whenever we had any emergency it was dealt with the immediacy we have grown to expect and the solutions provided were both accu-rate and cost e�ective for our organization .

ACCURATE AND COST EFFEC TIVE FOR OUR ORGANIZ ATION

We have been working with 2Secure for 4 years now and we would highly recommend them. Their ability to strategize and implement on our IT needs, especially as related to secu-rity has been top notch. Everybody is aware of the impor-tance of network security and 2Secure Corp has proven to be proactive and ahead of the ever-changing threats we face.

PROAC TIVE AND AHEAD OF THE EVER-CHANGING THREATS WE FACE.

Yigal Behar and 2Secure have been exceptional business part-ners in providing hands-on technical information security expertise to complement our internal capabilities, and assist in solving tough security problems demanding creative solutions providing peace of mind to our clients.

HANDS-ON, CREATIVE SOLUTIONS & PEACE OF MIND

Brian McGinleyS enior Vice Pres ident,

Data R isk Management ID ent i t y Thef t911, LLC

D avid CottonManaging Par tner

B usiness Credit & Capita l

Douglas A. HaddadManaging Par tner

Advanced Funds Net work LLC

safeguarding your data TEL: 646-755-3933 | INFO@2SECURE.BIZ | WWW.2SECURE.BIZ

“O U N C E O F P R E V E N T I O N I S W O RT H A P O U N D O F C U R E ”