The impact of the Equifax breach continues to reverberate throughout the financial services industry as regulators rush to implement requirements that protect sensitive consumer data. The Department of Financial Services’ (DFS) 23 NYCRR 500 extends Federal cybersecurity standards to improve the overall security of information systems and data for any financial institution that belongs to (or has branches in) New York State.
The Equifax breach confirmed that personally identifiable information (PII) is simply not enough to protect consumer and commercial data. Instead, the DFS is encouraging financial institutions to adopt multi-factor authentication (MFA) and risk-based authentication techniques.
As part of the requirement, the DFS outlines the immediate steps institutions need to take:
- Install all information technology and information security patches.
- Ensure all ID theft and fraud protection program meet requirements for Know Your Customers (KYC) and consider using an identity verification/fraud service.
- Confirm the validity of Equifax credit reports for both new applications and existing clients.
- Consider a customer call center so customers can let their financial institution know if their personal information has been hacked.
- Scrutinize any data provided to Equifax.
Financial institutions may already be adhering to the above steps, but 23 NYCRR 500 goes even further to require additional documentation.
Here are 9 dos and don’ts of the new 23 NYCRR 500 requirements:
- DO assess internal and external risks when developing your cybersecurity policy. Depending on your risk assessment, include multi-factor authentication or risk-based authentication.
- DO assign someone to act as chief information security officer (CISO) to develop and deliver a written report to the board of directors at least annually that includes a description of the cybersecurity program and outline cybersecurity risks.
- DO ensure your cybersecurity team has the human resources to administer and ensure compliance with the intended cybersecurity program.
- DON’T forget to notify the DFS within 72 hours of any attempts to gain unauthorized access to data.
- DO (beginning February 15, 2018) ensure the chairperson of the board provides a signed certificate indicating that to the best of her knowledge, the institution complies with 23 NYCRR 500.
- DON’T put off preparing to make all documentation — written cybersecurity policy, annual CISO report, documentation of monitoring and testing, procedures for application security, risk assessment and third-party security — available to DFS at any time.
- DO implement written policies and procedures for third-parties that have access to data. Include a risk assessment of each party, minimum cybersecurity practices for access controls, encryption, how they will notify the financial institution of a cybersecurity event, and how the institution will ensure practices are adequate.
- DON’T fail to maintain audit trails for reconstructing financial transactions sufficient to support normal operations. DO design audit trails for detecting and responding to cybersecurity events with a reasonable chance of harming the institution. Keep these audit trails for five years.
- DO limit user access privileges to any systems that store nonpublic data, and review these privileges periodically.
23 NYCRR 500 raises the bar on what financial institutions need to do to protect sensitive data. Financial institutions will need to raise the bar on their cybersecurity programs as well.
Crossmatch provides solutions that are the gold standard of composite authentication that can help financial services organizations meet the new requirements. To learn more about cost-effective and proactive planning approaches to meeting today’s—and tomorrow’s—compliance requirements, view Crossmatch’s A Bridge to NY State’s Cybersecurity Compliance Mandate on-demand webinar.
Jeff Carpenter is Director of Identity and Access Management solutions at Crossmatch. In this role, he is responsible for evangelizing Crossmatch’s DigitalPersona® solution. In his 10+ years in cybersecurity, Jeff has held positions with a number of top tier cybersecurity and technology companies, most recently he was with RSA, a Dell Technologies company. Jeff earned a Bachelor of Science degree in Business Administration from Creighton University in Omaha, Nebraska. He holds both a Certified Information Systems Security Professional (CISSP) and a Certified Cloud Security Professional (CCSP) designation.