What You Need to Know About New York State Department of Financial Services’ Updated Cybersecurity Regulations

Business Insights
Written By Justine Bone

On November 1, 2023, the New York State Department of Financial Services (NYDFS) introduced an update to its cybersecurity regulations (commonly known as "23 NYCRR 500" or simply "NYDFS Cybersecurity Regulations"). The goal of this regulation is to enhance cyber governance, mitigate risks, and protect New York businesses and consumers from cyber threats. 

The regulations apply to “any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law, regardless of whether the covered entity is also regulated by other government agencies." It can also apply to third-party service providers who offer services to those organizations, depending on the nature of the relationship.

This update includes several points where existing guidelines have been clarified and expanded slightly, as well as several requirements that are net new additions to the regulations. Rather than go through everything, this article will provide you with a high-level overview of a few of the biggest changes. Please review the updated regulations for all of the details. 

You can find a copy of the announcement here. 

A copy of the updates to the regulations is available here. 

Vulnerability Management Requirements

Vulnerability management tools are designed to scan and analyze the configurations, software versions, and other attributes of individual assets to detect known vulnerabilities or security weaknesses.

While vulnerability assessments were already required under the previous version of the NYDFS cybersecurity regulations, the guidelines have been expanded and added to in the current amendment. Most notably, “These policies and procedures shall be designed to ensure that covered entities: (a) conduct, at a minimum: [...] (2) automated scans of information systems, and a manual review of systems not covered by such scans, for the purpose of discovering, analyzing and reporting vulnerabilities at a frequency determined by the risk assessment, and promptly after any material system changes[.]” (Emphasis added.)

This is important because in order to comply with this section of the regulations you will need to:

  1. Have a comprehensive inventory of all of the assets that exist in your environment. 

  2. Know which assets your current vulnerability management solution is capable of scanning, and which assets it is not capable of scanning.

Having both of these will give you the information you need so that you know which assets you will need to perform a manual review on, on an annual basis. It will allow you to plan and scope out the effort required to comply with the new regulations. This also means that, in order to minimize the amount of manual effort required, having a vulnerability management solution that is capable of scanning as many systems in your environment as possible is of increased importance. 

Another section of the vulnerability management requirements addresses the need to “(c) timely remediate vulnerabilities, giving priority to vulnerabilities based on the risk they pose to the covered entity.” (Emphasis added.)

Vulnerability management solutions commonly assign a risk score to each identified vulnerability based on factors such as its severity, potential impact, and likelihood of exploitation. This helps you prioritize which vulnerabilities need to be addressed more urgently. However, vulnerability management solutions don’t always understand or take into account your critical business functions and which systems and assets are needed for the continued functioning of those critical functions. 

As you prepare to update your policies and procedures to comply with the latest requirements, it would be a good idea to review how your vulnerability management tool evaluates and scores risk. Is it taking into account the importance of the individual asset to your organization, or is it just looking at an arbitrary measurement?

Asset Management Requirement

New in this version of the NYDFS cybersecurity regulations is the requirement “to produce and maintain a complete, accurate and documented asset inventory of the covered entity’s information systems. The asset inventory shall be maintained in accordance with written policies and procedures.”

The primary goal of cybersecurity asset management is to gain a comprehensive understanding of an organization's digital assets to improve security, reduce risks, and ensure efficient IT operations. 

Traditionally, companies have used a configuration management database (CMDB) to compile an asset inventory. If that wasn’t available, or found to be incomplete, consultants would be hired to compile an asset inventory by interviewing key employees and compiling the results into a master inventory. There are other techniques that can be used as well, but each technique is either excessively manual, tedious, and time-consuming or it offers only a small slice of the total picture. For example, cloud-based asset management solutions are blind to on-premises assets and vice versa, while container-based assets are often missed by both. 

In addition to compiling a comprehensive and accurate asset inventory, there is a requirement to maintain the asset inventory. This means that, as new systems are brought online and old systems are retired, the inventory management system is updated. The most efficient way to do this is automatically; however, most of the asset inventory compilation techniques referred to above are highly manual to build and maintain. 

A modern way to compile an asset inventory is to place software sensors in your network that capture communications data and use it to create a map of your corporate network infrastructure, including cloud, on-premises, and container-based assets. This gives you complete visibility into the true extent of your environment, including which assets are interrelated or interdependent. It also gives you visibility into your connections with third-party vendors and contractors so that you can measure your third-party risks and dependencies.

Having a centralized understanding of your most important assets, internal or external, as well as a real-time understanding of what they depend on or what depends on them, is a critical foundation for accurate planning, as well as maintaining your cybersecurity compliance.  

Business Continuity & Disaster Recovery Plan Requirement

Also new to the NYDFS cybersecurity regulations is the requirement that organizations have a business continuity and disaster recovery (BCDR) plan as part of their wider incident response plan. “BCDR plans shall be reasonably designed to ensure the availability and functionality of the covered entity’s information systems and material services and protect the covered entity’s personnel, assets and nonpublic information in the event of a cybersecurity-related disruption to its normal business activities.” Additionally, “(d) Each covered entity shall periodically, but at a minimum annually, test its: (1) incident response and BCDR plans with all staff and management critical to the response, and shall revise the plan as necessary; and (2) ability to restore its critical data and information systems from backups.”

Before you can create an effective BCDR plan, you need to have complete visibility of your entire IT infrastructure. Having an accurate and complete asset inventory is only one part of the critical foundation you will need. In addition to having an asset inventory, you will need to identify your critical business functions, which assets are required in order for those functions to work properly, and understand how your assets are interconnected. You need to go beyond a static inventory list to having a dynamic map of your IT environment. This will give you the critical information you need to build an effective BCDR plan and be truly resilient. 

Deadline

The final thing to be aware of is the fact that “[c]overed entities shall have 180 days from the effective date of the second amendment to this Part to comply with the new requirements set forth in the second amendment to this Part, except as otherwise specified[.]” The effective date of the second amendment is November 1, 2023. This means that financial services companies have around 6 months to comply with the changes and the clock has already started counting down.

In Conclusion

The recent update to the NYDFS cybersecurity regulations underscores the evolving landscape of digital security. The amendments place a spotlight on crucial areas such as vulnerability management, asset inventory, and business continuity and disaster recovery planning. The emphasis on automated scans and comprehensive asset documentation reflects a growing need for proactive cybersecurity measures. The integration of real-time asset visibility and dynamic mapping into security practices is pivotal for effective risk mitigation. As organizations adapt to these changes, they must prioritize not only compliance but also the resilience and adaptability of their cybersecurity frameworks to safeguard against evolving cyber threats and disruptions.

About Redjack

Redjack delivers total asset visibility and AI-powered business insights for cyber resilience. The Redjack platform provides you with evidence-based, unbiased visibility into your organization's IT assets and connections that allows you to prioritize vulnerabilities, accurately evaluate risk, and build effective BCDR and cyber resilience plans.

For over five years Redjack has been successfully implemented in some of the world's largest corporations and government agencies, helping them achieve genuine cyber resilience.

Justine Bone

Justine is the Chief Product Officer at Redjack.

https://www.linkedin.com/in/justinebone/
Previous

What is Cyber Resilience?
Next

The Difference Between Cyber Asset Attack Surface Management and Vulnerability Management