NYDFS cybersecurity regulation requirements
(Last updated on October 4, 2021)
Financial organizations house a myriad of sensitive customer data, including login credentials, personally identifiable information (PII), and account numbers. With valuable data at stake, the financial services industry repeatedly has the highest cost of cybercrime. As the threat of breaches looms across the industry, and remote work introduces more variables into the cybersecurity equation, it’s clear that proactive measures are necessary.
The New York State Department of Financial Services (NYDFS) introduced a Cybersecurity Regulation (23 NYCRR 500) in 2017 to govern all organizations overseeing consumer financial data in the State of New York. The regulation draws inspiration from the NIST cybersecurity program, and is designed to protect confidential customer information from cyberattacks.
How to meet the NYDFS cybersecurity requirements
At the most basic level, the NYDFS requires companies to do the following:
- Officially designate a Chief Information Security Officer (CISO)
- Define a notification process for breaches and similar events with customer-facing impacts (within 72 hours of occurrence)
- Create response plans for security incidents
- Deliver documents detailing the above compliance measures to regulatory bodies
Protecting data at rest and in transit is paramount. Regular vulnerability testing is essential to upholding these controls; there are holes of various sizes in nearly every system. A financial institution’s goal is to minimize those operational risks, while remaining NYDFS compliant.
Another major component of that is access control, in the way of group policies, roles, and password policies. While we want to galvanize data pathways against outside threat, it’s necessary to prevent internal leaks. These happen accidentally and maliciously. Malicious insider attacks can cost companies over $243,000 on average, while taking a jaw-dropping 55.1 days to resolve. Companies must ensure that the right employees access their assigned resources, without obtaining elevated privileges.
Teams must also do the following:
- Identify all known and likely cybersecurity threats from all sources
- Harden infrastructure against threats via defensive measures
- Create and deploy security-event detection systems
- Respond to all events
- Recovery appropriately from all events, from an ecosystem standpoint
- Complete all mandated forms of regulatory reporting
We can see that many of these tasks are proactive in nature. This is critical, since successful penetration attempts can wreak havoc, even when resolved quickly. According to a survey of global financial services organizations conducted by the Ponemon Insititute, the majority of financial organization are ineffective at preventing cyberattacks. The NYDFS is trying to reverse that narrative.
Preventing password attacks
Password policies including expirations, account lockout measures, and complexity settings can influence the success of a cyberattack. It’s incumbent on an organization, under the NYDFS, to outline clear-and-effective password policies that align with NIST and related standards.
Strong access controls and password handling are a powerful tandem. Financial organizations can ensure that the right employees can leverage associated accounts. These privileges may be stripped in response to security events or internal sabotage. Unauthorized access must be logged and halted. Passwords should be strong, and complex, yet not to the point where they cannot be remembered without being written down. Many teams fall into this trap.
Say an employee has fallen victim to a phishing scam, and a criminal captures their login credentials. Teams must work swiftly to respond to such suspicious activity, force a sign-out, and promptly replace a user’s compromised password. When a hacker stumbles upon a username—without a password—they’ll be forced to guess that password. It’s important that one’s password adheres to a strong policy, and especially one which bans passwords found in dictionaries or leaks.
Uncovering password vulnerabilities with Specops
Specops Software provides password security solutions for financial services using Microsoft Active Directory, and facing NIST and NYDFS cybersecurity requirements. Specops Password Auditor is a free tool that finds password vulnerabilities in Active Directory. IT teams get a view into password policy usage, and how they stack up against compliance regulations.
Find out how many employees are using leaked passwords by running a free read-only scan with Specops Password Auditor.