NYDFS Security Regulation FAQ

A conversation with Ron Pelletier, Founder & Chief Customer Officer, Pondurance and Richard Borden, Counsel, Willkie Farr & Gallagher LLP

There are a lot of cyber regulations being announced. Why is this happening?

Rick: The White House is very focused on cybersecurity risk, and they’ve instructed federal agencies to focus on that risk. The federal agencies are each announcing regulation or guidance on cybersecurity for the entities, the companies, that they regulate.

Ron: We’re seeing an onslaught of cyberattacks that are happening with a lot of consumer demands to do something about it. This can be looked at as an attempt to try to establish standards and guidelines that provide at least a minimum expectation for security. We have breaches that occur every 14 seconds, or at least attempts at breaches. With that sort of statistic, there’s just a tremendous onslaught. This is at least an effort to try to establish a minimum set of security settings.

Rick: One of the things that’s happening — with the Colonial Pipeline and other things where stuff gets shut down, attacks on hospitals, etc. — it’s not just that data is being leaked. It’s that people are being affected directly, and national security and prices are impacted by these things. So the government is very concerned about that.

What is the NYDFS rule and why does it apply to cybersecurity?

Rick: In 2016, the New York Department of Financial Services (NYDFS) issued a cybersecurity regulation that went into effect in 2017 and covered entities, which are insurance companies, insurance brokers, producers, agents, and a variety of other entities, New York state-chartered banks, check cashing companies, etc. In 2021, they started enforcing it and fined a number of companies and consent orders with remediation plans and programs that were intense. 

Ron: The NYDFS standards are specific. For example, the 23 NYCRR part 500 is fairly comprehensive. It is one of the first standards that specified a qualified chief information security officer (CISO). NYDFS expects there to be somebody who can manage the security program for the organization, somebody with the right experience from a technical perspective, with the right experience from a business executive perspective, somebody that can marshal the organization to be in the best state of protection of their data. The CISO has to give a report to the board and not just a committee. This requirement is being replicated in regulations like GLBA and DOL (Department of Labor), and the SEC will most likely follow.

One of the main commonalities in these regulations is multifactor authentication. You will also see this requirement in your application for cyber insurance. By creating a more robust monitoring perspective or a more robust dynamic defense methodology, it will put you in a better position to encounter things that maybe in the past have been difficult to do. For example, we’re working with an organization that was a victim of a zero-day exploit. There wasn’t a counter security patch that was available to a particular specific system on the edge. Without a defense-in-depth monitoring methodology, it’s very difficult to combat. Bad actor groups will exploit those edge devices more and more to the point where they might even be trying to look for their own zero days and using those to make a big score. Without defense-in-depth monitoring, you can fall victim to zero day, which we’re going to see more and more.

What is DOL and how does it apply to cybersecurity?

Rick: The Department of Labor issued cybersecurity guidance, not regulations, to provide best practices for those issuing benefits and pensions. The guidance has a lot of similarities to NYDFS, like making sure you have security competencies and a well-documented security program with policies, procedures, and a risk assessment. They specify that one of the best practice requirements is a reliable third-party audit of security controls, and that’s the key: third-party. This should be an independent assessment. 

Ron: We recommend you do assessments internally to make sure that you can measure your own effectiveness, but getting an independent perspective becomes very important in DOL’s eyes. If you have one third-party organization that’s doing managing and maintaining of infrastructure but also responsible for scanning, monitoring, and assessing the controls in your environment for you, that might even cause some of the separation of duties. We’re also seeing more definition of your data and how that expands past your environment to the cloud. Can you trace it, and can you make sure you have accountability of your third-party service providers? You not only need to manage and set expectations for your service providers, but on some occasion or some level of frequency, you’re going through and conducting reviews making sure they’re doing what you expect them to be doing. 

Like all of the regulations, demand for internal security awareness training is very important to continue to inculcate people with a sense of security and what they’re responsible for; to discern between something that looks like and smells like and acts like a phishing attack; to be circumspect, not paranoid but just armed with the knowledge, that if something seems awry or just seems a little like it’s anomalous, then it probably is. That’s the reinforcement that they’re offering as well.

What are the cyber regulation standards and are there any commonalities?

Ron: The fortunate thing is that there are some commonalities with this, so we don’t have agencies that are developing and implementing their own interpretation of what should be done. We’re seeing things, like basic things, and reiterating some of the basic things that comprise a security program, like a risk assessment. Do your risk assessment, know what you have, know who wants it, and know what really is at risk so you know how to protect it. That helps your organization to ensure you’re allocating the right level of investment as well, starting with that risk assessment. 

Then, it gets tactical. There are a lot of requirements about things like multifactor authentication. It’s been recognized that a password is no longer good enough. Having another factor that can validate your identity is going to be something that is very important. Try getting cyber insurance without multifactor these days! 

From a procedural incident response standpoint, they’re putting in specifications about having an incident response plan, some standards are even creating timelines to notify within a certain amount of time. Those are some of the commonalities. And it’s really all wrapped around one of the things I’m glad to see is happening and that’s there’s more of a pronounced demand —or I should say expectation — for a security competency in-house or even brought from the outside that can really bring that security experience to bear. And then, understand the interpretation of all these guidelines and really create efficiency and effectiveness and make sure security is really driven in a coordinated way.

What are the new SEC requirements around cybersecurity risk management?

Rick: This is a really interesting one. The SEC recently proposed new cybersecurity rules for investment advisers and investment management companies. These are some very large to very small companies, all in financial services. The SEC did something that’s a little bit confusing because they didn’t refer to the standards or some of the prior regulations that they even had been involved with. So we’re not sure exactly yet what this is going to mean, but they did include some very, very complex concepts in the regulations, and it is going to take a significant amount of effort by both the legal and technical sides to make sure that we’re complying. 

One good example is in the assessment that Ron was talking about before. You have to do an assessment. Now, you don’t do the assessment of your whole network; you have to do the components, and you have to prioritize risks — and that’s stuff that is somewhat new and somewhat complicated. So, it’s going to take a significant, new way of thinking about it to meet what the SEC set, and we’ll see what the final rules are like because there’s a comment period and we’re going to be commenting on them. So we’ll see what happens, but this is going to be pretty significant, and the SEC is not done. They said that they’re going to propose new rules for public companies. They may propose to regulate service providers, so we don’t know yet what this is all going to look like.

In 2018, the SEC issued guidance on cybersecurity disclosure for public companies, and there, they tied cyber to Sarbanes-Oxley saying, cybersecurity risk is financial risk and needs to be reported as part of the Sarbanes-Oxley reporting and other disclosure. That hasn’t really happened in the way that I think that the SEC wanted to see, and it appears that they are going to issue much more substantive rules instead of just providing guidance under existing rules.

What do you need to do to meet SEC requirements?

Rick: First, you’re going to have to have a good cybersecurity program, and you’re going to have to look carefully at how that maps to the regulations.  We don’t know exactly yet what all of it will be, but it appears that they want to have something top level, and they are, for example, requiring multifactor authentication. They are requiring some sort of detection and response, and it may be managed detection and response to be in place. It isn’t entirely clear yet, but we can see where it’s going, and sophistication is key.

Ron: Yeah, another commonality, and the SEC is no exception, is the requirement for good policies and procedures. At times, organizations can look at this as a very rote exercise. It’s just documentation, let’s put words on paper and let’s just say, hey, we got that, let’s check the box. Where good policies, procedures, and standards are really going to create where the policy says, here’s the cake we’re trying to bake, the standards will say, these are the ingredients, meaning this is how we’re going to measure and making sure the outcome of what we’re trying to do to make ourselves secure, that we put the right stuff into it. 

Then, the procedures, of course, that’s the recipe. This is how we assemble these ingredients and make sure that we follow this so we drive consistency and continuity, which are very important concepts because you want the control to work the same way every time so long as you deem it to be effective. Over time, it’s going to continue in the same manner. That’s the consistency aspect. The continuity, if key people leave, they tend to take information with them, so we want to make sure that there’s something left behind that others can continue to follow, and then it could be updated if things change, the business changes, technology changes, data changes. Being able to document these things becomes very critical, and then you can start to expand out and do the things that you need to do. What about supply chain risk and managing my vendors appropriately? Do I have control of all my assets? Am I applying what needs to be applied from a security standpoint to the various assets? Am I continuing to monitor my assets to make sure that I can detect, respond, and recover to cyber incidents as they occur? So the SEC is no exception in terms of what they’re laying out. 

Rick: Ron makes great points there. On the policies and the procedures, they do have to be written. They are requiring that there be written policies and procedures and that the controls in those policies and procedures be “effective.” What that means is that you have to test, you have to check. It’s an audit content. Auditors are going to come in, and they’re going to look, and they’re going to ask for screenshots to show that not only is it written on paper but that it’s been implemented and it’s working. And that is another level of assurance to make sure that things are happening the way that they’re supposed to happen. That is something that is going to be there and that these companies are going to have to get used to because there’s a lot of work to be done in that.

What is GLBA and how does it apply to cybersecurity?

Rick: GLBA is the Gramm-Leach-Bliley Act, and it regulates financial institutions. There are multiple regulators in there. You’ve got the FTC, the Federal Trade Commission. They regulate a lot of the financial institutions who you wouldn’t even expect, and they just issued new cybersecurity rules as well. That one is actually based largely on something that was done at the New York state level for insurance, the New York Department of Financial Services Cybersecurity Regulation. All the elements that Ron was talking about before — risk assessment, written policies and procedures, vendor management, multifactor authentication — has all of these things built into it, so it’s got a lot of commonality. There’s also a part of Gramm-Leach-Bliley that happens with the SEC, and that’s where these SEC rules touch on that. But the focus, when people are talking about it these days, the change came with the FTC, and that applies to a lot. Then, you also have the insurance departments who oversee the insurers under GLBA, and they have been passing the NAIC Model Data Security Law.

How does the Gramm-Leach-Bliley Act (GLBA) relate to the Securities and Exchange Commission (SEC) rule?

Ron: GLBA already had regulations in the past, but now they’re more specific in that they want to see you be more prescriptive, like an inventory and classification of your data. Additional requirements may be specifying secure development and conducting application testing. The NYDFS has already been doing this. Some of these specific requirements are now really standing out. For example, the requirement is no longer just a penetration test on an annual basis but also vulnerability assessments along the way so that you’re not waiting for an annual point-in-time exercise. Even the disposition of customer data, how do you dispose of it properly? These are some of the things that the GLBA is really expanding on, creating a lot more prescription than they have in the past. 

Rick: The SEC regulates investment advisers and investment companies. The regulations proposed are separate from GLBA as investment advisers and investment companies are regulated in a slightly different way. The GLBA and other regulations, including some that are state-based at the New York Department of Financial Services (NYDFS), are relevant to financial institutions. 

If you’re a financial institution, if you’re an investment adviser, you may have insurance licenses, and you’re subject to what the SEC is doing and the state insurance regulators. Or you may be an investment adviser and you may be licensed by the CFTC. It’s happening in multiple places in multiple ways, and you have to tie it together and get it to all work so that you can comply with all of the regulations and at the same time have a functioning information security program. Make sure that your lawyers and the technical teams are talking so their efforts can complement each other. 

Ron: As an organization, you may be beholden to multiple different types of regulations. Fortunately, most of them are similar, but some standards are a lot more rigorous than others in terms of things like incident reporting and how that’s to be done. One of the best things an organization can do is to not try to conform to compliance, try to be secure. Don’t just try to check a box, make sure that you’re using something that’s going to look at your environment from a 360-degree perspective. If you try to only be compliant with certain standards, then you might leave something out. Most networks are flat, meaning that they’re all interconnected in a way that you can make a lot of jumps from one access path to another, so if you’re concentrating on the front gate and the back gate is open, then that’s problematic for your organization. Using something like a NIST Cybersecurity Framework, using a true security framework in which you can map all of these things to it, don’t try to look at the individual merits of a control specified by one of these standards. Use something like the NIST CSF and then map those standard requirements from these various regulations into them so that you can streamline your process and are more likely to achieve a secure environment, instead of just checking a compliance box.

One of the ways that both Willkie and Pondurance can help customers is to help define whether or not these regulations are applicable to them.

What’s the difference between privacy regulations and information security regulations?

Rick: Privacy regulation is: Did I agree that my data is going to be used in this way? And did I consent to it being collected and transmitted to different places? It’s the regulation of the information security and the information technology areas of companies, how networks, systems, data are protected. These are new types of regulations. In the U.S., regulation is happening in many sectors of our economy on cybersecurity. Companies that think that they’re not regulated today are likely to be regulated tomorrow. It’s key to get the right program in place that’s the right size and the right level of sophistication based on your risk.

How can a cybersecurity provider help you meet new security regulations?

Ron: If you’re not sure, then seek help. In organizations like Willkie and Pondurance and even together, we’ve proven a formula that we can bring. One of the benefits you’re going to get is an independent system that will help bring in the right-size security. No organization is lacking all control, but it’s a matter of shoring things up, making sure that you’re not covered or overcovered in one area but then drastically undercovered in another. Bringing balance to your program is something that we can help with.

How can service providers help with the new cyber regulation requirements?

Rick: I’m a cybersecurity lawyer. I speak to technologists like Ron, and I speak to people in risk — and even in English! We have to be able to speak the same language so somebody, like Ron and Pondurance, understands the legal requirements that I focus on. I understand and am able to talk to them about how things are happening from a technical standpoint and to have an appropriate compliance program because compliance is different than protection. Compliance means that you’re complying with laws, with regulations, that you might get fined if you don’t. You might have other issues if you don’t. So, to have a compliance, you have to marry these. That’s the key, having both pieces but that speak together and are able to put this together in a way that allows you to comply.

Ron: What’s great about what we provide is we’re positioned very well to help organizations that are now under these requirements or demands, everything from being able to do the assessments, and then also — one of the things that’s a commonality too that’s been required is — monitoring, detailing, or even specifying managed detection and response, and a lot of them are even suggesting third party. Pondurance being able to do that, providing full security capability including the managed detection and response, is something we’re very well positioned to do.

Need help meeting these new regulations?

Learn more about Willkie