In 2022, we wrote about financial industry regulators raising the cybersecurity bar for their regulated entities. Now amended, the updated New York Department of Financial Services (NYDFS) cybersecurity regulation is in Year 2 of its rollout plan. Below are updates on where things stand for financial entities operating in the Empire State.
23 NYCRR part 500 recap
To recap quickly, in 2017, the New York Department of Financial Services introduced cybersecurity regulation 23 NYCRR Part 500, which applies to all financial institutions, insurance companies, brokers, lenders, and money transmitters operating in New York.
This regulation was amended in November 2023, adding specific technical requirements for these entities to comply with, including:
- Vulnerability management for deployed systems
- Password complexity requirements
- Multifactor authentication
- Role-based access control
- Encryption of NPI (nonpublic personal information) at rest and in flight
- Automated vulnerability scanning
- Implementing a SIEM
- Maintaining an inventory of deployed systems
Patching vulnerabilities
Why do you need an inventory of deployed systems? You can’t update what you don’t know about. It’s essential to understand which machines, operating systems, and applications exist in the environment and their current patch levels. This way, unpatched vulnerabilities can be identified, classified according to CVE score, and remediated based on an SLA defined by the business.
This vulnerability scanning process should be automated to eliminate the possibility of human errors/omissions. This is a critical part of cyber hygiene for any financial institution. NYDFS also calls out the need for a SIEM (security information and event management) system that synthesizes alerts from monitored sources (such as Endpoint Detection and Response tools) in the environment as an additional automated control.
Hardening of access controls
Another area the amended regulation focuses on is the hardening of access controls on existing systems. Specifically, they recommend stringent password complexity requirements, multifactor authentication, and role-based access control (RBAC).
Compromised identity providers played a role in at least 80% of cyber incidents that Cohesity responded to on behalf of our customers within the past year—the importance of authentication hardening cannot be overstated. Multifactor authentication means that compromised password vaults or identity providers do not automatically lead to credential compromise. Similarly, properly configured RBAC, in accordance with zero-trust best practices, means that the blast radius of a compromised set of credentials is limited to explicitly configured systems and applications, not a broader set of workloads in an environment.
Storing and transmitting NPI in an encrypted state
The final technical area the updated regulation focuses on is the identification of NPI (non-public personal information) and the need to store and transmit such data in an encrypted state. In the context of the financial services industry, NPI can include employee data and investor data. For instance, consider the account holders’ social security numbers, home addresses, and other information. Leakage of such data outside an organization could trigger regulatory, reputational, and commercial impacts. The focus on encryption is to ensure that, even if a threat is present in the environment, the attacker cannot read the NPI being stored or intercept the NPI being transmitted. Data at rest and data in flight encryption remain some of the best options to mitigate the risk of data exfiltration during a cyber event.
Auditing for compliance
In conjunction with the new technical requirements, the amended NYDFS cybersecurity regulation enforces audits that must be conducted by independent auditors to ascertain whether organizations comply with the measures enumerated above. There are also new notification mandates whereby regulated entities are compelled to report a cybersecurity incident and any ransomware extortion payments. These requirements make clear that incidents of this nature can no longer be swept under the rug and handled internally within a financial institution. Instead, they are compelled to report, which means that reputational impact is now determined by an organization’s ability to respond to the attack effectively.
Fines for entities that fail to comply
NYDFS can also impose fines on entities that fail to comply with the mandates in 23 NYCRR Part 500. These fines can include recurring penalties of up to $1,000 per day for each violation. Financial impact can quickly balloon with multiple citations over a longer duration. Examples of penalties within the last three years include $1.5 million in fines from Residential Mortgage Services for failing to disclose a cyber breach with personal data exposure and $3 million in fines from Natural Securities Corporate for not implementing MFA and failing to disclose two of four cyber breaches. In another widely panned example, First Unum Life Insurance was fined $1.8 million for failing to implement MFA, falling prey to a phishing attack, and falsely certifying compliance with NYCRR Part 500. These are just a few examples of enforcement actions from the NYDFS, as it remains an extremely motivated and active regulator.
How Cohesity can help
Fortunately, Cohesity is fully prepared to help our customers comply with the new requirements in 23 NYCRR Part 500, many of which went into effect on November 1st, 2024. For instance, Cohesity publishes a hardening best practices guide to place our clusters into the most secure state possible in preparation for a potential attack. Additionally, our Security Advisor functionality can scan deployed clusters automatically to determine whether any configuration drift has occurred from the secure baseline. In terms of encryption, Cohesity offers end-to-end encryption of all data under our protection, both at rest and in flight. This will be needed to comply with the NYDFS NPI encryption mandate. Cohesity is prepared to help with the creation of incident response plans for our customers, which include using our new Clean Room Solution for ransomware response and mitigation.
Our comprehensive data security platform can also help with specific technical controls in the amended regulation. For instance, the Cyberscan application (created in partnership with Tenable) allows for the scanning of vulnerabilities on protected virtual machines. This helps with the automated scanning requirement that will be imposed on May 1st, 2025. From an authentication standpoint, Cohesity supports configurable password complexity, native or SAML provider multi-factor authentication, and customizable granular role-based access control. We also have the ability to pass security alerts (including ransomware anomalies detected in backup data) directly to a Security Incident and Event Management system, more tightly integrating backup operations and security operations teams within our customer base.
Lastly, and perhaps most importantly, the Cohesity Security Center in our Helios control plane automatically creates an asset inventory of all objects in an environment and reports on their data security posture. For instance, the Security Center can identify protected and unprotected objects across all source types (hypervisors, NAS storage, and databases) supported by Cohesity. Then, from a proactive standpoint, these objects can be scanned for sensitive data and automatically sent to our secure vault as a service offering, Cohesity FortKnox. Finally, our machine learning-based ransomware anomaly detection will show any objects that may be subject to a ransomware attack and can automatically trigger a threat scan of those objects. This empowers security operations teams to rapidly understand the blast radius of an attack, the mechanism by which they were compromised, and prepare to respond within a clean room environment. Security Center Inventory unifies multiple sources of information in a common interface to help teams fully understand the security posture of protected objects in Cohesity.
Please request a meeting with your Cohesity account team. We can assist in determining whether you are in compliance with the updated NYDFS regulation and, if not, suggest remediation approaches.
NYDFS resources checklist
Even with stringent regulatory requirements, Cohesity customers are well-equipped to comply with the revised NYDFS cybersecurity regulation standards. To learn more about the updated NYDFS cybersecurity standards, please review the following resources: