NY DFS Cybersecurity Regulation: Moving to a Managing Access Risk Model
Covering financial services firms operating in the State of the New York, the new Cybersecurity Regulation has an extensive set of requirements aimed at improving data protection and access management. Identity and Access Management (IAM) will play a pivotal role in meeting compliance and the Regulation’s broader intent.
In effect since March 1, 2017 and in the process of being phased in over the next 18 months, the New York Department of Financial Services (NY DFS) Cybersecurity Regulation has been described as the first in the nation for its detailed cybersecurity requirements for over 3,000 covered financial institutions. Mandating a risk-driven and comprehensive cybersecurity program for companies operating under banking, insurance or financial services law in the State of New York, the regulation is aimed at addressing the systemic threats posed by weak cybersecurity practices and preventing cascading breach notifications that undermine consumer confidence.
What distinguishes the Regulation from existing compliance mandates is the focus on designing and implementing controls (including access controls, multi-factor authentication, encryption, monitoring, and application security) to explicitly tackle the risks to a broader definition of customer data exposure or attack - a material departure from what many have long criticized as a checklist approach to business and consumer data protection.
The impact of the new emphasis on risk containment to IAM programs at covered entities is likely to be profound, albeit consistent with the overall trend toward identity-centric security. At the least, the regulation’s promulgation will create a new sense of urgency for moving further down the path of integrating IAM processes with security operations, including aligning access governance policies (especially privileged users with elevated risk profiles and third parties with access to consumer data) with monitoring and unauthorized access detection technologies.
Working Through the Repercussions
In broad strokes, the regulation lays out a set of requirements for building, maintaining and evaluating a cybersecurity program, based on the outcome of a risk based assessment:
- Identify cyber risks
- Protect against unauthorized access/use or other malicious acts
- Detect cybersecurity events
- Respond to identified cybersecurity events to mitigate any negative events
- Recover from cybersecurity events and restore normal operations and services
The Regulation is notable for a range of reasons.
While it applies only to covered financial services firms in New York state and it will take up to 18 months for the full extent of requirements to be enforced, it has the impact of formally making cybersecurity programs and data protection a cost of doing business for those entities it covers. And, while there is overlap with existing compliance mandates, the scope of the type and categories of data it covers is significantly broader.
Secondly, the regulation compels covered organizations to understand and mitigate the risks to their business of weak access controls, poor identity management and limited ability to detect unauthorized access⎯ for both internal users and third parties with access to company data (access management is not the only control explicitly mandated, of course). If covered organizations have not yet embarked on identity transformation initiatives to better focus on managing access risk and governance, this control requirement may well compel them to do so.
Thirdly, the regulation expands the scope of data that needs to be protected. Even for organizations that are currently subject to the Gramm-Leach-Bliley Act (GLBA) or Payment Card Industry Data Security Standard (PCI DSS) for safeguarding personally identifiable financial information or have controls in place to protect access to healthcare information under HIPAA requirements, the regulation’s definition of nonpublic personal information (NPI) is broader still.
Encompassing more traditional forms of personally identifiable information (PII), the definition extends to any “business related information” that would have a material impact if exposed, and a more extensive list of healthcare data including even payment for the provision of healthcare.
It’s a Brand New World (for Access Controls)
In contrast to other compliance mandates that can take the form of a “one size fits all” checklist, the regulation emphasizes that the cybersecurity program should be based on the outcome of a risk assessment to evaluate the adequacy of current controls and incorporate controls to mitigate the risks identified in the assessment.
Access management and identity security measures, such as multi-factor authentication and user activity monitoring for indications of account compromise, are one of several control requirements that covered entities will now have to implement to reduce the risk of unauthorized access or exposure. They are, however, pivotal to meeting the regulation’s overarching intent of breach prevention and minimizing unauthorized access, whether by insiders such as privileged users or third parties.
While the first order of business under the regulation is protecting information systems and business and customer data, the first line of defense is managing access and increasingly making sure that users are who they say they are, as well as that they aren’t abusing their access privileges. After all, if the access authorization model is poorly defined and overly permissive, measures like encrypting the data or even implementing multi-factor authentication will fall short in addressing the regulation’s core intent.
The regulation has seen a fair amount of criticism for being overly prescriptive, but it still leaves the question of how to implement access controls and security measures such as multi-factor authentication. As many enterprises would attest, effective identity management and identity-centric security are not simply the outcome of installing a new system or adopting a cloud identity service.
Getting Access Right
Just as the regulation outlines that controls must be "based on the individual facts and circumstances presented", access controls must be based on clear, realistic policies that take into account who the user is, what their organizational role is, and which systems they should have access to so they can get their job done, including appropriate data-level permissions.
Getting access right and ensuring that identity management is working with security monitoring is going to become integral to not only compliance with the regulation, but also with meeting the regulation’s intent of protecting business and consumer data and preventing breaches. Organizations that invest the time and effort into a thoughtful access governance program that is based on risk and outcome-driven analysis will ensure that they are complying with both the letter as well as the intent of the regulation.