New York State Gets Bullish on Cyber Security Programs

Last year, New York experienced an unprecedented number of data breaches triggered by hacking, malicious insiders and accidental causes according to the attorney general.  Coincidentally, in late September of 2016, the New York State Department of Financial Services (NYDFS) proposed 23 NYCRR 500, a regulation requiring banks, insurers and other financial service providers to improve their organizational cyber-readiness through the establishment of programs and policies that protect sensitive electronic data.

Effective as of March 1, 2017, the regulation appears to be in direct response to the ongoing cyber attacks that target an organization’s most critical systems containing intellectual property, consumer data and other sensitive information. The number of companies that fall into exemption from this regulation is very limited and any other organization regulated by the NYDFS will now be required to create programs protecting sensitive data held either by the organization itself or by a third-party provider.

In short, the regulation requires that each company calculate a risk profile unique to the organization, develop programs and policies that specifically address that profile and establish a minimum security standard to maintain compliance. The program should be designed to protect the confidentiality, integrity and availability of the organization’s information systems.

Key elements from 23 NYCRR 500:

  1. Establish a comprehensive cyber security program
  2. Create written cyber security policies
  3. Appoint a Chief Information Security Officer (CISO)
  4. Provide cyber security training to personnel
  5. Establish policies and procedures for third parties
  6. Detect, alert and respond to cyber security threats
  7. Include an audit trail for cyber security events

Privileged Account Security and Why It’s Important to 23 NYCRR 500 

Privileged accounts are used to gain access to critical systems such as servers, switches, firewalls, financial trading systems and other applications that are crucial to the business.  Unprotected, these accounts represent a significant security vulnerability. Cyber attackers target privileged accounts to move laterally, escalate privileges and ultimately navigate a company’s entire IT infrastructure, often undetected for months. According to Mandiant’s M-Trends 2017 Report, threat groups specifically within the financial sector have advanced the tools and approaches they use to gain access to privileged accounts, escalate privileges and maintain persistence.

Attackers are becoming smarter and more sophisticated. Using traditional security controls may not be enough to protect your environment. The pathway attackers use continues to evolve as more organizations shift to next-gen workloads for cloud, mobile, Internet of Things (IoT), etc.  Organizations need to prioritize locking down their privileged accounts to better protect against, detect and respond to cyber attacks before critical systems are breached and sensitive data becomes compromised.

Securing your privileged accounts with CyberArk solutions will satisfy nearly all of the key elements of this regulation including risk assessments, cyber security programs and policies, penetration testing and vulnerability assessments, audit trail, access privileges, application security – all the way through training and monitoring. Much of 23 NYCRR 500 requires organizations to properly assess risk to their security gaps, detect and respond to cyber threats that exist within their IT infrastructure. This is exactly what we strive to deliver to our customers through our integrated portfolio of solutions.

See How CyberArk Can Help You Start Tracking Compliance

The strict requirements of regulation 23 NYCRR 500 place a substantial burden on every financial services organization regulated by the New York State Department of Financial Services. With CyberArk at the core of your cyber security programs and policies, you can start tracking compliance with a single solution designed to protect your most critical assets in public, private or hybrid cloud environments.

Learn how CyberArk can protect the confidentiality, integrity and availability of your information systems. Attend our webinar on Thursday June 22, at 2:00 PM EST for a review of the key sections in this regulation and more information about how CyberArk solutions can help to support your organization’s compliance with 23 NYCRR 500.