What’s needed for the first NYS DFS cybersecurity transitional phase?

NYS DFS cybersecurity transitional phaseThe first transitional phase of the New York State’s Department of Financial Services (NYS DFS) cybersecurity regulation is upon us. As of August 28th, 2017 covered entities are required to be in compliance with the first phase of the 23 NYCRR Part 500 standard.

The NYS DFS was kind enough not drop the entire regulation on businesses all at once and broke up adherence within transitional phases. This means organizations will have the opportunity create a phased approach based off these transitional phases to become compliant over the next two years.

With the first phase expiring shortly it means covered entities are required to have these particular aspects of the regulation in place during this timeframe.

For the first transitional phase covered entities that aren’t exempt will need to adhere to the following sections within the guidance.

500.02 – Cybersecurity Program

Creating a cybersecurity program that’s directly related to the risk assessment that’s been established for the organization. It’s interesting this is mentioned in this phase since the risk assessment is not brought up until the second phase, but it’s designed to create a program to secure the critical data and systems in the enterprise.

500.03 – Cybsersecuity Policies

Having policy and procedure created and maintained is an important aspect of any cybersecurity program. This section goes into detail on the needed policies and procedures that NYS DFS wants to see in place, which is helpful (E.g asset inventory, network monitoring, incident response, etc.)

500.04 – Chief Information Security Officer

This section is broken into two parts (a) and (b). The first part (a) is the need to have a Chief Information Security Officer designated to the covered entity. This could be a full time role or by a third party service provider (E.g vCISO). The second part (b) CISO reporting is established in the second transitional phase.

500.07 – Access Privileges

The access privileges section is guided towards limiting users access to sensitive data and systems. This requires periodic audit reviews of the user access. There is no mention of a system being put in place, but the ability to put in a privileged access management system to assist with this need might be important based off the company’s size.

500.10 – Cybersecurity Personnel and Intelligence

Being able to manage the cybersecurity program laid out in 500.02 is important. This section details personnel must be trained and have an understanding of cybersecurity. If this isn’t possible there’s the option to utilize a third party, like an MSSP, to assist with this management.

500.16 – Incident Response Plan

Each covered entity needs to have an established incident response plan in order to promptly respond and recover from a cybersecurity event. This takes some work to create and being able to have this document tested before events occurs is important. It doesn’t mention having tabletops, but it’s a great way to validate and sharpen your IR plan.

500.17 – Notification to Superintendent

This part is in reference to alerting the superintendent within 72 hours that a cybersecurity event has occurred that impacts normal business activity or requires a business to notice another regulatory body.

With the first transitional phase expiring it’s important to focus on validating that your organization is up to par with this phase before focusing on other transitional phases. There’s definitely a roadmap approach to becoming compliant to the NYS DFS and by taking advantage of this phased roll out allows organizations to prepare for other phases before they’re in effect. By knowing what areas your organization might need more assistance with early on, using these transitional phases as a roadmap, allows you to prioritize a project plan based off your risk and current security posture.

It’s my opinion that a risk assessment should have been put into the first phase to give organizations a view into where they should be focusing moving forward. The NYS DFS regulation is meant to bring businesses up to a minimum standard of security. Proper planning and understanding of the key dates is important to adhering to the NYS DFS deadlines and not getting caught out of compliance.

Now that we have the first phase under our belts, let’s start focusing on the second phase. Its ending date is March 1st, 2018.