NYDFS Cybersecurity Compliance Final Phase. The clock is ticking.
March 1, 2019 is the deadline for covered entities to comply with the final phase of 23 NYCRR 500. Our blog, NYDFS Cybersecurity Regulation Isn’t Just a Phase, outlined the significance of this final phase. Phase Four requires you to conduct periodic assessments of third-party controls, policies and procedures, as well as perform due diligence on third parties’ cybersecurity practices. Covered entities and their third parties must meet these requirements even to conduct business.
If you’re focused on complying with Phase Four, the good news is you’re at the finish line for the regulation. The bad news? The clock is ticking and given third parties are the source of many high-profile incidents, the challenge is bigger than checking all the boxes.
With that in mind, here are three tips for not just satisfying compliance with 23 NYCRR 500, but also about implementing a program to continuously manage the third-party risk lifecycle, including cyber risk.
Section 500.11 pertains to the third-party security policy. From the regulation, “each Covered Entity shall implement written policies and procedures designed to ensure the security of Information Systems and Nonpublic Information that are accessible to, or held by, Third-Party Service Providers.”
Managing policies is something done within your organization like the acceptable use policy that employees must follow. Here, the audience is your pool of third parties, and the compliance challenge is ensuring the issued policy is received with the recipient attesting to the information. To prove compliance, you’ll need to show a linkage between policies and controls.
That’s easier to do with a technology platform that can centrally store and link data from disparate sources, including policies, controls, regulatory requirements and third-party contracts. With everything in one place, it’s easier to gather evidence of compliance, perform a gap analysis to see what’s missing and focus on managing the residual risk.
Do third-party service providers follow the minimum cybersecurity practices required to do business with a covered entity? Are third parties using multi-factor authentication? These are just two of the 11 requirements mandated in 500.11.
Assessments help ascertain if requirements are being adhered to by third parties for compliance. A technology platform can assist with managing the assessment process. Features like pre-populated questionnaires and automatic scoring save time and make it easier to assess.
Data collected in assessments can be leveraged within the platform to manage third-party risk. You can identify and flag high-risk third parties for risk mitigation or incident remediation. Or, analyze the data across the universe of third parties for insights and trends, and then quickly generate a report for leadership with a click of a button.
Generate paper trails
According to a Department of Financial Services memo dated December 21, 2018, the Department has received approximately 1,000 notices of cybersecurity events from regulated institutions. It’s an indicator that the New York Department of Financial Services is focusing on demonstrating visibility, transparency and accountability.
If you ever face scrutiny or are asked to produce certification evidence, your best defense is generating paper trails that document what was done, when the action occurred and who did it. With a handful of third parties, you can accomplish this in a spreadsheet. If you have dozens, hundreds or thousands of third parties, technology offers a more efficient solution. A technology platform enables you to document as you go, report as you go and store everything for audits.
If it’s more efficient to generate paper trails and to provide a defensible record, compliance professionals can give more attention to other areas like education and training. When compliance is more efficient, it helps you expand your program so you can accomplish more.
The compliance deadline for the final phase of the New York Department of Financial Services’ cybersecurity regulation, 23 NYCRR 500.11, is only six weeks away. But by focusing on policy management, assessments and paper trails, covered entities can make headway on both compliance and risk management.
Read about the GAO’s report on CRA oversight
Read about GDPR’s impact in its first year of regulation.
Learn how to prepare for the California Consumer Privacy Act (CCPA).