Are you compliant?
Last year, the New York State Department of Financial Services (NYDFS) put in place cyber security requirements for financial services entities. Chances are, you aren’t compliant.
So, you say, your organization doesn’t do business in New York. Or your organization is too small to be covered by the new regulations.
But before we discuss some of the highlights, let’s talk about why they matter to every organization that’s connected to the internet.
First, there’s no such thing as too small. In fact, almost half (43%) of all cyber attacks target small and medium-sized businesses (SMBs), and three out of every five will shut down within 6 months of a breach.
Second, the NYDFS regulations provide a useful guide for businesses that want to prepare for the inevitability of a cyber attack. Consider them free best-practices guidance for developing an information security framework that all companies should be adopting in some form.
Third, similar regulations are coming to a state near you. New York is simply ahead of the curve. Given the pace at which cyber breaches are accelerating, we expect many states to follow suit, much like they did after California passed the first Data Breach Notification Law.
Now that we’ve established that everyone is at least indirectly affected, let’s look at who is directly covered.
The requirements cover any NYDFS-regulated organization, such as trust, mortgage, and insurance companies; banks; and licensed lenders. By extension, it includes unregulated third-party service providers (§500.11). By March 1, 2019, all covered entities must establish a security policy for access by all third parties with which they do business. If you have only one client who is subject to these regulations, you’ll be affected.
Companies with fewer than 10 employees, less than $5 million in gross annual revenue in each of the last 3 years, or less than $10 million in year-end total assets are exempt from some, but not all provisions.
You need a robust security program
At the heart of the regulations is a written cyber security policy (§500.03): Create and maintain a written cyber security policy that aligns with industry best practices and ISO 27001 standards. You should have this in place already, but if you don’t, you can create one. We can’t write it for you, but we can help you assess and address your vulnerabilities.
Through our security information and event management (SIEM) solution, Knight Vision Managed SIEMPLUS, we provide the real-time alerting, correlation, analysis, and auditing that security and compliance need. That provides actionable threat intelligence to you and your team.
Every organization must also designate a qualified Chief Information Security Officer (CISO; §500.04) to oversee and implement the cyber security program and enforce policy. If you are a small company, don’t let the C-suite designation scare you off. You simply need to designate one person for this role. It could be the Chief Information Officer (CIO) or Chief Technology Officer (CTO), or it could be the office manager. But someone needs to be responsible for the administration of the security program.
And again, we can’t be your CISO, but with our services, we can help your CISO do his or her job and keep your organization in compliance.
4 ways Avalon can help you comply
In addition to helping you meet the spirit of the regulations, we can help you meet several specific elements. Here are four examples:
1. Deploy cyber security personnel and intelligence (§500.10): This section requires use of “qualified cybersecurity personnel”—internal or a third-party vendor—who can manage an organization’s cyber security risks. It also requires that the personnel receive “cybersecurity updates and training sufficient to address relevant cybersecurity risks” and “are taking steps to maintain current knowledge of changing cybersecurity threats and countermeasures.”
In plain English, this means you need a team of continuously trained cyber security experts to provide 24/7 coverage. That’s what we do. Our managed detection and response (MDR) team becomes your 24/7 security operations center.
2. Penetration testing and vulnerability management (§500.05) of all financial systems that hold personally identifiable information: Avalon provides penetration testing and vulnerability assessments, as well as continuous monitoring.
- Penetration testing: We safely simulate the actions of a hacker targeting your network and attempt to exploit critical systems to access sensitive data. You should be doing this regularly, regardless of any regulations. Penetration testing validates the efficiency of your currently deployed security resources and determines how well employees are following existing security policies.
- Vulnerability assessments: Our expert engineers conduct internal and/or external vulnerability scans to identify risks in your company’s environment. We then work closely with you to develop a plan to address the most critical weaknesses and provide insights into the best way to implement improvements.
- Continuous monitoring: Our Knight Vision managed SIEMPLUS provides you with actionable threat intelligence so you can make necessary changes to your security framework.
3. Audit trail (§500.06): This section requires a mechanism to provide a 5-year audit trail of financial transactions and a 3-year mechanism to reconstruct financial transactions.
A full audit trail of user interactions with information systems requires monitoring all user-access events, emails, file shares, etc. Implementing Avalon’s Knight Vision Managed SIEMPLUS accomplishes this. We can provide the real-time alerting, correlation, analysis, and auditing that security and compliance need. Logs and endpoint data are fully searchable. Knight Vision aggregates log data, normalizes and triages alerts, and ultimately provides actionable threat intelligence to you and your team.
4. Develop an incident response plan (§500.16): Covered entities must document and report all cyber security events. Our MDR solution combines the power of user behavior analytics, endpoint detection and response, and log analysis to unify security data in order to detect, investigate, and remediate incidents.
It’s important to remember that security incidents happen all the time, and they don’t always rise to the level of data breaches. You can’t develop an incident response report if you don’t know what the incidents are and, short of active monitoring, there’s no way to quantify them. With our active monitoring, we can detect and quantify threats, document findings, and recommend the appropriate response. The result: The customized cyber security solution you need to fend off future attacks and stay in compliance.
Are you covered by the NYDFS regulations but aren’t sure you’re compliant? We can help you figure that out. Are you coming to the realization that you need to create a viable information security framework? We can help with that, too.
Our dual experience in digital forensic investigations and in mitigating network breaches enables us to provide security assessments, as well as ongoing 24/7/365 monitoring, detection, and response.
Interested? Contact us today for a free security assessment. The NYDFS may not be aiming for you, but cyber criminals are. You are a target. Prepare accordingly.