Internal Audit, Risk, Business & Technology Consulting

Decoding NYDFS Part 500

Meeting the Challenges of New York’s Cybersecurity Regulations

Decoding NYDFS Part 500 · 1protiviti.com

The New York Department of Financial Services’ (NYDFS) Part 500, Cybersecurity Requirements for

Financial Services Companies, went into effect on March 1, 2017.1 When the guidelines were first

proposed, New York Governor Andrew Cuomo said that they were designed to “help guarantee

the financial services industry upholds its obligation to protect consumers and ensure that its

systems are sufficiently constructed to prevent cyber attacks to the fullest extent possible.”

NYDFS Part 500 applies to all “covered entities,” which

includes all banking organizations, insurance companies,

money services businesses and other firms operating in

New York under the authorization of the Banking Law,

the Insurance Law, and the Financial Services Law.

The department is seeking to cast a wider net with

these requirements to extend beyond the financial sector

and the entities under their control to boost cybersecurity

protection and preparedness within the financial and

corporate sectors as well among as their vendors.

Covered entities are required to develop and maintain

effective cybersecurity programs and to certify annually

to the NYDFS that they are meeting the requirements

of the regulations. Many organizations are struggling

with the practical compliance challenges in core

areas, including: the risk assessment, definitions of

compensating controls and materiality, compliance

deadlines, and the certification process.

In this paper, three Protiviti experts — managing

director, Adam Hamm, former president of the National

Association of Insurance Commissioners (NAIC) and

former chairman of its Cybersecurity Task Force;

managing director Cal Slemp, who leads the security

and privacy solutions consulting business globally;

and Andrew Retrum, managing director in the financial

services industry technology consulting practice —

provide some practical guidance on how firms can

approach each of these areas to ensure compliance.

Introduction

Covered entities include the following, among others, chartered or licensed by the DFS:

• Insured depository institutions

• Branches, agencies or offices of non-U.S. banks

• Insurance companies

• Trust companies

• Credit unions

• Check cashers

• Money transmitters

• Institutions with BitLicenses

• Mortgage brokers

Not covered entities

• National banks or banks chartered in other states, including their New York branches

• Federal credit unions

• Broker-dealers

• OCC-chartered branches and agencies of non-U.S. banks

• An affiliate of a covered entity that is not itself a covered entity

1 www.dfs.ny.gov/about/press/pr1702161.htm.

DFS Part 500 — Applicability

2 · Protiviti

Key Messages

As the linchpin of the entire cybersecurity compliance program, the risk assessment is of prime importance and

as such is the primary focus of this paper, which also provides advice for firms on compliance definitions and

deadlines as well as the certification process. The key messages include:

01With the deadline of March 1, 2018 fast approaching, firms are advised to ensure the risk assessment is given

appropriate attention. This paper introduces a methodology, based on industry-accepted frameworks, that

details all of the required steps firms need to take to conduct a comprehensive and compliant risk assessment.

02NYDFS Part 500 has many requirements with a series of tiered deadlines for compliance, which overlap and can

be confusing. Organizations are advised to plan carefully to ensure they implement all of the requirements in

good time but also in the correct order to maximize efficiencies.

03To allow companies to tell the story of NYDFS cyber compliance to examiners, they should establish clear

viewpoints to help them manage the scope of the requirements, which includes clarifying how certain terms

used in the requirements have been interpreted for their organization.

04Because a board member or senior official will have to certify the organization meets all of the requirements of

the regulation, it is imperative that the team driving cybersecurity quickly establishes what criteria, information

and/or metrics the board will want to see to satisfy compliance requirements.

The language used by the NYDFS shows that the intent of the regulation is for firms to conduct a holistic and

thoroughly documented security risk assessment, unique to every covered entity, which will guide compliance

efforts with almost every other component of the regulation.

Decoding NYDFS Part 500 · 3protiviti.com

The Risk Assessment

Each Covered Entity shall conduct a periodic risk assessment of the covered entity’s information systems sufficient

to inform the design of the cybersecurity program. This risk assessment shall allow for revision of controls to respond

to technological developments and evolving threats related to cybersecurity, nonpublic information collected or

stored, and the effectiveness of controls to protect nonpublic information.”

— NYDFS Regulation – Part 500, Section 500.09

The NYDFS cybersecurity regulations cover a broad

range of topics, including multi-factor identification,

incident response plans and cybersecurity policies.

The depth and breadth of their implementation

is ultimately derived from the risk assessment

component of the regulation. Every covered entity is

expected to perform and document an enterprisewide

security risk assessment to identify its exposure to

cyber vulnerabilities and the impact from potential

cyber events. These risks should reflect the impact

from a business and a technology perspective. Once

these are established, a thoughtful evaluation can

be made regarding policies, procedures and controls

that need to be put in place to reduce or mitigate the

identified risks.

NYDFS Section 500.09(b) specifically requires the

risk assessment to be carried out in accordance with

an organization’s written policies and procedures,

which need to include:

• Criteria for the evaluation and categorization of

identified cybersecurity risks or threats facing the

covered entity.

• Criteria for the assessment of the confidentiality,

integrity, security and availability of the covered

entity’s information systems and nonpublic

information, including the adequacy of existing

controls in the context of identified risks.

• Requirements describing how identified risks

will be mitigated or accepted based on the risk

assessment and how the cybersecurity program

will address the risks.

The risk assessment requirement provides the

foundation for an organization’s cybersecurity

program, and, based on our observations in the

marketplace, this will be where some of the largest

gaps exist in firms’ preparedness for Part 500.

NYDFS examiners will expect firms to have conducted

a thorough review of their risks and sufficiently

justified and documented their related actions.

Many organizations may seek to rely on previously

completed risk-based work — as an example, work

done in an individual business unit that is expanded

to include the entire organization in an effort to

help speed up the risk assessment process. But

the language used by the NYDFS shows that the

intent of the regulation is for firms to conduct a

holistic and thoroughly documented security risk

assessment, unique to every covered entity, that will

guide compliance efforts with almost every other

component of the regulation. The risk assessment

process is also reoccurring, as opposed to a single

or occasional event. Companies are starting to realize

just how much work is necessary to complete a

successful risk assessment within the required

time frame.

A successful risk assessment process relies on the

organization employing a certain level of granularity.

This should provide the firm with good cybersecurity

coverage but not overwhelm the security and risk

teams by identifying too many different assets that are

tied to many different risks, which can overcomplicate

the program. Done incorrectly, the risk assessment

process could result in outputs that are not actionable

4 · Protiviti

by the organization, or it could potentially run on

forever. It is essential for firms to have a more

thoughtful approach about how they conduct their

risk assessment to ensure it provides a comprehensive

view across the risks present in the enterprise but

identifies actions that can be completed in a reasonably

short time frame. Ultimately, the risk assessment

should be used as a foundation to justify the actions

firms are taking that are consistent with the risks

they have identified. If they haven’t already done

so, firms need to start on their risk assessment

immediately, to determine their processes, their

conclusions, and how expansive and holistic their

cybersecurity program needs to be.

Protiviti has developed a high-level methodology for

firms embarking on their risk assessment process,

which is customizable to cater to the specific envi-

ronment and needs of an organization.

High-Level Overview

Key Activities Sample Artifacts

Identify & Rank Assets

Asset Criticality Threat Severity Inherent Risk Risk-Control Mapping Residual Risk

Identify & Assess Threats

Align Threats to Assets

Map Threats to Mitigating Controls

Determine Control Effectiveness

Identify & Rank Assets• Establish an appropriate and defensible asset inventory

• Formalize asset criticality based on methodology

• Application Inventory• Infrastructure Diagrams• Vendor Catalog• Physical Locations

Identify & Assess Threats• Apply threat actor scenarios to organization to catalogue unique threats

• Probe organization for unique threats unique to business environment

or technology

• Assess threats for inherent severity

• Product Offerings• Business Roadmap• Technology Roadmap• Political Involvement

Risk-Control Mapping• Align threats to inherently vulnerable assets

• Calculate inherent risk based upon threat severity and asset criticality

• Map mitigating controls to inherent risk scenarios

• Risk Appetite• ITRM Policies• Risk Register• Control Catalog

Determine Control Effectiveness• Identify mitigating controls in the organization’s environment

• Assess the control for design and operating effectiveness

• Calculate residual risk based upon inherent risk scenarios and mitigating

control effectiveness

• ITRM Policies & Procedures• Process Flows• Evidence of Compliance

Assessment Approach & Activities

Decoding NYDFS Part 500 · 5protiviti.com

NYDFS Part 500 has a number of compliance deadlines

at regular intervals spanning the next two years. From

August 28, 2017, firms need to have developed and

put in place a risk-based cybersecurity program,

cybersecurity policies and an incident response plan.

The risk assessment must be completed by March 1,

2018; however, the first certification deadline is February

15, 2018. The order of the deadlines has confused some

firms, since the cybersecurity program and policies

need to be developed before the deadline for the risk

assessment, which arguably needs to be completed (or

be well on its way to completion) first to feed into the

cybersecurity program and the incident response plan.

Although these dates seem confusing and contradictory,

the regulators are suggesting that even though the

compliance deadlines are past the first certification

date, companies will need to be at an almost complete

stage well ahead of the February 15, 2018 certification

deadline. The transition periods have been built into

the rules to ensure firms are complying with the letter

and the spirit of the regulations to such an extent

so that the person signing the certification can state

that the company is in compliance to the best of its

knowledge on that date (refer to the section below on

certification and process). In short, whomever signs

that document dated February 15, 2018 following a

review of the company’s progress to that point, will

need to be comfortable that they are in compliance or

are well on the way to being in compliance with every

section that is due by the March 1, 2018 deadline.

Meeting the Deadlines

The following tables set out the individual action items by order of their compliance deadlines.

Effective August 28, 2017 Requirements

500.02 Cybersecurity ProgramDevelop and maintain a risk-based cybersecurity program designed to identify internal and external risks; use defensive infrastructure and policies and procedures to protect information systems and nonpublic information; and detect, respond to, recover from and report cyber events.

500.03 Cybersecurity Policy

Develop and maintain a risk-based cybersecurity policy that addresses: information security, data governance and classification, asset inventory and device management, access controls and identity management, business continuity and disaster recovery, systems operations and availability concerns, systems and network security, systems and network monitoring, systems and application development and quality assurance, physical security and environmental controls, customer data privacy, vendor and third-party service provider management, risk assessment and incident response.

500.04 (a) Chief Information

Security Officer

Appoint qualified party responsible for overseeing the cybersecurity program, which may be a third-party service provider or affiliate.

500.07 Access Privileges Establish limits, which are periodically re-evaluated, on user access to nonpublic information.

500.10 Cybersecurity Personnel

and Intelligence

Employ qualified individuals to oversee and execute the cybersecurity program; provide training to cybersecurity personnel; and verify that cybersecurity personnel stay current on cyber threats and countermeasures.

Continued…

6 · Protiviti

500.16 Incident Response Plan

Develop and maintain a written incident response plan that includes internal processes for responding to a cybersecurity event; goals of the incident response plan; delineation of roles and responsibilities; external and internal communications and information sharing; identification and remediation of any weaknesses in information systems and associated controls; documentation and reporting of cybersecurity events and incident response activities; evaluation and revision; as necessary, of the incident response program.

500.17 Notices

to the Superintendent

• Within 72 hours of a determination of a cybersecurity event, a covered entity shall notify the superintendent if notification of the event is required to be provided to any government body, self-regulatory agency or any other supervisory body and/or if the cyber event has a reasonable likelihood of materially harming any material part of normal operations.

• Annually, by February 15 of each year, submit a written statement from a senior officer(s) or the board of directors, covering the prior calendar year certifying that the covered entity is in compliance with Part 500.

• Document any self-identified areas, systems, or processes that require material improvement, updating or redesign along with planned remediation and make such information available to the NYDFS.

First certification due February 15, 2018

Effective March 1, 2018 Requirements

500.04 (b) Annual Report

of the CISO

Written annual report by the CISO to the board of directors or equivalent body on the institution’s cybersecurity program that shall consider, to the extent applicable, confidentiality of nonpublic information and integrity and security of information systems; cybersecurity policies and procedures; material cybersecurity risks; overall effectiveness of the cybersecurity program; and material cybersecurity events during the reporting period.

500.05 Pen Testing and

Vulnerability Assessments

Annual risk-based penetration testing and risk-based biannual vulnerability assessments, including systematic scans or reviews of information systems designed to identify publicly known cyber vulnerabilities.

500.09 Risk Assessment

Periodic risk assessment carried out in accordance with written policies and procedures that shall include: criteria for evaluation and categorization of cyber risks and threats; criteria for the assessment of confidentiality, integrity, security, and availability of nonpublic information, including the adequacy of associated controls; and requirements describing how risks will be mitigated or accepted and how the cybersecurity program will address these risks.

500.12 Multi-Factor

Authentication

Risk-based controls for protecting against unauthorized access to nonpublic information and information systems, which shall include multi-factor authentication or an equivalent method approved by the CISO in writing for individuals accessing internal networks from an external network.

500.14 (b) Cybersecurity

Awareness TrainingRegular, risk-based cybersecurity awareness training for all personnel.

Continued…

Decoding NYDFS Part 500 · 7protiviti.com

Effective September 3, 2018 Requirements

500.06 Audit Trail

Maintenance of systems, to the extent applicable and based on the risk assessment, that: (a) are designed to reconstruct material financial transactions sufficient to support normal operations and obligations of the entity; and (b) include audit trails designed to detect and respond to cyber events that have a reasonable likelihood of materially harming any material part of normal operations. Record retention period for (a) is five years and for (b) not fewer than three years.

500.08 Application SecurityWritten procedures, guidelines, and standards, subject to periodic review and updating by the CISO or qualified designee, designed to ensure the use of secure development practices for in-house developed applications and procedures for assessing and testing the security of externally developed applications.

500.13 Limitations on

Data Retention

Written policies and procedures for the secure disposal on a periodic basis of nonpublic information no longer needed, except where prohibited by law or regulation, or not feasible due to the manner in which information is maintained.

500.14 (a) Monitoring of

Authorized Users

Risk-based policies, procedures, and controls designed to monitor activity of authorized users and detect unauthorized access or tampering.

500.15 Encryption of

Nonpublic Information

Encryption of both in transit and at rest nonpublic information or, if not deemed feasible, an alternative method of protection/compensation controls which must be reviewed annually and approved by the CISO.

Effective March 1, 2019 Requirements

500.11 Third-Party Service

Provider Security Policy

Written risk-based policies and procedures designed to ensure security of information systems and nonpublic information that are accessible to or held by third-party service providers, which shall address, to the extent applicable, identification and risk assessment of third-party service providers; minimum cybersecurity practices to be met by third-party service providers; due diligence used to evaluate practices of third-party service providers; and periodic risk-based assessment of third-party service providers.

Such policies and procedures shall include: the third-party service provider’s own policies and procedures for access controls, including the use of multi-factor authentication; the third-party service provider’s procedures for encryption; notice requirements imposed on the third party in the event of a cyber event; representations and warranties provided by the third-party service provider relating to the protection of information systems and nonpublic information. To the extent that an agent, employee, or representative of a covered entity is a third-party service provider is itself covered by DFS Part 500, then a third-party service provider security policy is not required.

8 · Protiviti

There is little guidance provided in some sections of

the NYDFS Part 500 regulations, which has resulted

in confusion about the meaning of certain words.

Foremost are the use of the terms “material” and

“materially” throughout the document, as well as

what constitutes “compensating controls.”

The terms “material” and “materially” are used in

five different sections of the regulations but they

are currently undefined by the regulator. Covered

entities are debating how broad or how narrow those

terms can be applied. For example, in the Audit

Trail section of the regulation (500.06), one of the

requirements is for companies to keep records and

documents “designed to reconstruct material financial

transactions sufficient to support normal operations

and obligations of the covered entity.” A firm’s

determination on how expansively to view the term

“material” will govern its logging and retention of

data as it relates to this specific requirement.

A further example is the Notices section of the

regulation (500.17), which requires firms to give notice

to the superintendent of the NYDFS when certain

triggering events occur. One portion states that a

covered entity needs to notify the NYDFS anytime

there is a cybersecurity event that has a “reasonable

likelihood of materially harming any material part of

the normal operation(s) of” the covered entity.

In order to show compliance with the requirements,

firms will need to define how they have interpreted the

terms for their organization. The chosen interpretation

of these terms should allow flexibility in the practical

application of the rules, both in methods and coverage,

which cater to the risk thresholds of the organization.

The reference to “compensating controls” is causing

similar debate among covered entities. One specific

example concerns the use of multi-factor authentication

(MFA) to secure nonpublic information. Not all firms

use MFA, so the regulation allows companies to use

“effective alternative compensating controls” that have

been reviewed and approved by the covered entity’s chief

information security officer (CISO). The onus here is on

the company to use empirical evidence to demonstrate

to the regulators and the CISO that the chosen compen-

sating controls are both reasonable and effective as they

relate to the specific control being sought by the regula-

tion. The lack of specificity allows flexibility; but the lack

of clarity also makes certification less certain.

Due to the implication and impact of these (and other)

definitions, it is our view that covered entities review

their conclusions with experts of this regulation prior

to certification.

Definitions

Decoding NYDFS Part 500 · 9protiviti.com

From February 15, 2018 forward, every NYDFS-covered

entity must certify annually in a written statement

that for the preceding calendar year, the company’s

cybersecurity program complies with NYDFS Part 500.

The statement should be signed by a senior officer

or by the company’s board of directors and should

state that they have reviewed documents, reports,

certifications and opinions of such officers, employees,

representatives, outside vendors and other individuals

or entities as necessary to be able to certify the

company’s compliance to the best of their knowledge.

Firms also need to document any self-identified

areas, systems, or processes that require material

improvement, updating or redesign along with planned

remediation and make such information available to

the NYDFS (Section 500.17(b)).

The main concern here is the need for an individual,

or group of individuals at the board level, to personally

attest to the firm’s compliance, without clear indication

of the implications if the regulators subsequently

find any issues. This is why issues such as definitions

around “material” and “compensating controls”

are causing so much industry debate, because the

individuals who are signing the certification document

will need to consider carefully how much written

evidence and documentation they will need to review

to be able to honestly attest to the firm’s compliance.

In addition to the certification statement, covered

entities are required to keep appropriate documentation

to support the certification. Firms are required to

maintain for examination by the NYDFS all records,

schedules and data supporting the annual certificate for a

period of five years. The company must also document

all remedial efforts, planned and underway, concerning

areas, systems or processes that have been identified

in the certification that require material improvement,

updating or redesign, and this documentation must

be available for inspection by the superintendent.

The NYDFS regulators will be looking for the processes

firms have used throughout the entire program from

the foundational, holistic risk assessment to reporting

evidence to the board and senior management to support

the attestation process. The intention is for this process

to form part of an ongoing communication effort that

is built into the cybersecurity program to support

continuous interrogation and monitoring from the top.

An essential skill for firms to master will be

determining the level of complexity and detail

to keep packaged up and ready to share with the

examiners. Firms need to provide information that is

straightforward and adequate to establish compliance.

Storing and maintaining records — much of which

will contain sensitive information — for five years

is cumbersome and expensive; determining the

complexity and detail required to satisfy compliance

with the letter and the spirit of the regulations is an

essential task for companies to master early on in the

process. Deciding which records to maintain at this

early stage in the implementation process is difficult,

however, especially ahead of any formal examinations.

Certification and Process

The NYDFS regulators will be looking for the processes firms have used throughout the entire program from the

foundational, holistic risk assessment to reporting evidence to the board and senior management to support the

attestation process.

10 · Protiviti

The risk assessment is foundational to the NYDFS

cybersecurity regulations, which will require expertise

to execute and balance between aligning the program

to risk, and addressing the expectations of the

regulators. Appropriate attention should be given to

this requirement. Firms should be well on the way

to completing the risk assessment by this time in

order to meet the other large compliance deadlines

of implementing their cybersecurity policies and

programs as well as finalizing their incident response

plans ahead of the first certification deadline.

The various deadlines set out in the requirements can be

confusing but by completing the risk assessment piece,

firms can create their own roadmaps for compliance

that meet all of the tiered dates for compliance.

The language used in the NYDFS Part 500 requirements

has created some ambiguity over the meaning of certain

terms, specifically “material” and “compensating

controls.” In the absence of any further guidance from

the NYDFS, and to allow companies to “tell the story”

of NYDFS cyber compliance, they should establish clear

viewpoints to help clarify how certain terms have been

interpreted for their organization.

The individual, or group of individuals at the board

level, charged with personally attesting to the firm’s

compliance with the cybersecurity regulations, must

be able to review sufficient written evidence and

documentation to allow them to properly certify the

firm’s compliance. To do this effectively, entities need

to ensure record keeping and continuous monitoring

of the firm’s implementation of its cybersecurity

program and its ongoing maintenance.

Final Thoughts

Decoding NYDFS Part 500 · 11protiviti.com

ABOUT PROTIVITI

Protiviti is a global consulting firm that delivers deep expertise, objective insights, a tailored approach and unparalleled collaboration to help leaders confidently face the future. Protiviti and our independently owned Member Firms provide consulting solutions in finance, technology, operations, data, analytics, governance, risk and internal audit to our clients through our network of more than 70 offices in over 20 countries.

We have served more than 60 percent of Fortune 1000® and 35 percent of Fortune Global 500® companies. We also work with smaller, growing companies, including those looking to go public, as well as with government agencies. Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index.

Contacts

Adam Hamm Managing Director+1.312.476.6334adam.hamm@protiviti.com

Cal SlempManaging Director+1.203.905.2926cal.slemp@protiviti.com

Andrew RetrumManaging Director+1.312.476.6353andrew.retrum@protiviti.com

Scott Laliberte Managing Director +1.267.256.8825 scott.laliberte@protiviti.com

© 2017 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. PRO-0817-103109 Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services.

THE AMERICAS UNITED STATES

Alexandria

Atlanta

Baltimore

Boston

Charlotte

Chicago

Cincinnati

Cleveland

Dallas

Fort Lauderdale

Houston

Indianapolis

Kansas City

Los Angeles

Milwaukee

Minneapolis

New York

Orlando

Philadelphia

Phoenix

Pittsburgh

Portland

Richmond

Sacramento

Salt Lake City

San Francisco

San Jose

Seattle

Stamford

St. Louis

Tampa

Washington, D.C.

Winchester

Woodbridge

ARGENTINA*

Buenos Aires

BRAZIL*

Rio de Janeiro Sao Paulo

CANADA

Kitchener-Waterloo Toronto

CHILE*

Santiago

MEXICO*

Mexico City

PERU*

Lima

VENEZUELA*

Caracas

EUROPE MIDDLE EAST AFRICA

FRANCE

Paris

GERMANY

Frankfurt

Munich

ITALY

Milan

Rome

Turin

NETHERLANDS

Amsterdam

UNITED KINGDOM

London

BAHRAIN*

Manama

KUWAIT*

Kuwait City

OMAN*

Muscat

QATAR*

Doha

SAUDI ARABIA*

Riyadh

SOUTH AFRICA*

Johannesburg

UNITED ARAB EMIRATES*

Abu Dhabi

Dubai

ASIA-PACIFIC CHINA

Beijing

Hong Kong

Shanghai

Shenzhen

JAPAN

Osaka

Tokyo

SINGAPORE

Singapore

INDIA*

Bangalore

Hyderabad

Kolkata

Mumbai

New Delhi

AUSTRALIA

Brisbane

Canberra

Melbourne

Sydney

*MEMBER FIRM

© 2

01

5 P

roti

viti

In

c. A

n E

qu

al O

pp

ort

un

ity

Emp

loye

r. M

/F/D

isab

ilit

y/Ve

t. P

RO

-05

15