The State of New York Department of Financial Services issued a regulation on Cybersecurity Requirements for Financial Services Companies (23 NYCRR Part 500), which became effective March 1, 2017 with a 180-day transitional period that ended on August 28, 2017. The regulations include requirements for a Cybersecurity Program led by a Chief Information Security Officer. To assist Covered Entities in reviewing their organization’s compliance with the regulations, Kuma has prepared the following questions for CISOs and the senior management to whom they report should be prepared to consider.
• Do the Covered Entity’s current programs cover the full range of topics in Sec 500.02 Cybersecurity Program?
• Do the Covered Entity’s current policies cover the full range of topics in Sec 500.03 Cybersecurity Policy?
• If there are gaps in any of the Cybersecurity Policy topic areas, what resources will be required address the gaps?
• If the Superintendent exercises their authority under Section 500.02 to request Cybersecurity Program documentation and relevant information, what will the CISO deliver?
• What are the top internal and external risks to the security or integrity of Nonpublic Information on the organization’s Information Systems?
• What is the plan to fulfill the Section 500.05 Penetration Testing and Vulnerability Assessment Requirements?
• What processes will the organization implement to conduct Section 500.07 Access Privilege reviews?
• Does the organization have a risk assessment methodology that meets the requirements of Section 500.09?
• How does the CISO identify cybersecurity risks and threats?
• How does the CISO evaluate the adequacy of existing controls in the context of identified risks?
• How does the CISO propose to work with the rest of the organization to determine how risks are mitigated or accepted?
• What sources of information does the CISO use to stay up to date with changing cybersecurity news and current affairs?
• What sources of information do key personnel use to stay up to date with cybersecurity threats and countermeasures?
• How does the CISO plan to manage the risk assessment of Third Party Service Providers?
• How does CISO evaluate “reasonably equivalent or more secure access control methods” for the purposes of using their authority in part b) of Section 500.12 to waive the Multi-Factor Authentication requirement?
• How does the CISO plan to work with other organizational units in the Covered Entity to ensure the enforcement of Limitations on Data Retention in Section 500.13?
• How does the CISO evaluate “effective alternate compensating controls” for the purposes of using their authority in part (2) of Section 500.15 to waive the Encryption of Nonpublic Information requirements?
• How does the CISO determine whether a Cybersecurity Event has a reasonable likelihood of material harm and requires Notice to the Superintendent under Section 500.17?
• Is the Covered Entity entitled to any exceptions under Section 500.19?
Careful consideration of these questions should assist the Covered Entity and CISO ensures an effective cybersecurity program that complies with the requirements of 23 NYCRR 500. Please reach out to KUMA if we can assist in addressing the answers to those questions.