The New York State Department of Financial Services (NYDFS) has recently enacted new cybersecurity regulation aimed at protecting financial services organizations and their data. The new regulation known as 23 NYCRR 500 actually went into effect earlier in the year, but the 180-day transition period ended on August 28th, meaning organizations now need to be officially in compliance. Of course financial services CISOs are no strangers to regulation, having to already comply with a dizzying array of control frameworks including NIST, COBIT, SSAE and specific regulations such as PCI-DSS and SEC OCIE just to name a few.
However, the NYDFS requirements are poised to be a significant addition for a few reasons. First, the reach is significant. While it is a state regulation, it will naturally apply to companies that do business in New York, including businesses headquartered outside the state as well as international companies. Additionally, the regulation requires organizations to ensure that the third party organizations that they do business with are secure as well.
In addition to its official reach, NYDFS is both forward-leaning and specific in some of its requirements. In particular the regulation establishes a risk-based approach to a variety of security controls and even specifies instances where multi-factor authentication is needed. Let’s take a look at some of the particulars and how Preempt can help keep you compliant.
The NYDFS gets pretty specific in terms of how organizations will need to identify risks. Organizations will need to either establish continuous monitoring for internal and external threats, or will need to submit to a regular schedule of penetration testing and vulnerability testing. The key part of this sentence is the “or”. By adopting continuous monitoring, organizations can simplify their compliance process and remove the need to document pen tests and vulnerability testing.
Preempt provides a simple, low-friction way to establish continuous, real-time monitoring in an environment. And while regular pen testing is always a good idea, anything that makes documenting compliance easier is always a good thing. But more importantly, the resulting visibility and control provided by Preempt’s continuous monitoring will make it easier for the organization to meet other NYDFS requirements as well.
User and Device Control
The NYDFS also requires organizations to monitor and control the entities in their environment. This includes device-centric requirements to perform asset inventory and device management as well as more user-centric requirements for access controls and identity management.
Preempt automatically keeps track of users, service accounts, and all of their related devices. Simply being able to document up-to-the-minute visibility of these entities can be very powerful during an audit. The solution not only monitors users, accounts, and devices, but also makes it easy to set policies to control access based on any number of factors including the user role, risk, or type of device in use. This combination of visibility and auditable policy enforcement puts organizations on very solid ground when it comes to documenting compliance.
Context Based on Risk
Next, the NYDFS requirements repeatedly call out the need to identify and manage risk in the environment. Specifically, the regulation calls out the need to establish “risk-based policies, procedures and controls designed to monitor the activity of Authorized Users and detect unauthorized access or use of, or tampering with, Nonpublic Information…”
Additionally, the regulation calls out the need for risk-based authentication controls, and has very pointed requirements for the use of multi-factor authentication. Risk-based authentication is defined as a system that “detects anomalies or changes in the normal use patterns of a Person and requires additional verification of the Person’s identity when such deviations or changes are detected.” The document even calls out the need to trigger multi-factor authentication for any connections to internal assets from an outside network.
Preempt is uniquely suited to meet these requirements. All entities in the network are constantly monitored and scored based on their observed risk. Risk could be recognized based on environmental factors such as the use of a weak password, use of an unmanaged device, or a connection from an outside network. The solution likewise learns the behavior of every entity to recognize and raise the risk in response to abnormal behavior. Any of these action or the composite risk score can be used to drive a policy-based response such as a multi-factor authentication challenge or an outright block.
While no security product is a silver bullet for regulatory issues, it is clear that the Preempt solution aligns with many of the core concepts behind the NYDFS regulation. While we encourage you to review the regulation yourself, a solution based on continuous monitoring that enforces policies based on the observed risk of users, devices, and critical assets sounds like just what the doctor ordered.