23 NYCRR 500 – A Step Forward for Cyber Security Regulation

February 24, 2017

 

As we start 2017, let’s take a look back on the state of cyber security in 2016 within financial services: Roughly 60,000 customers of Tesco Bank were effected by a recent hack, the SWIFT network was notably compromised leading to dozens of banks being effected, and more recently Russian Central Bank claims to have fallen victim to losses of $31 million from attackers. To say it lightly, 2016 was not good…well, unless you’re a cyber attacker. Cyber-attacks on banks have continually intensified and we are on track for these trends to continue into the new year. There is clearly a global rise in attacks against financial services, but as my friend* Charles Dickens once stated, “It was the best of times, it was the worst of times”.

But 2017 is already looking up for cyber security. The New York Department of Financial Services (NY DFS) is taking steps to strengthen the cyber security foundation of all financial services organizations within the state of New York and those that do business with them. On March 1, 23 NYCRR 500 went into effect, setting guidelines for cyber security practices within the New York’s financial services industry including minimum standards for access control, breach remediation and the requirements for cybersecurity programs . The key date to keep in mind is September 1, 2017: that date marks the end of the 180 day period to comply with the guidelines set forth in 23 NYCRR 500.

Applicability is defined within section 500.18 as the following:

(1) fewer than 1000 customers in each of the last three calendar years, and

(2) less than $5,000,000 in gross annual revenue in each of the last three fiscal years, and

(3) less than $10,000,000 in year-end total assets, calculated in accordance with generally accepted accounting principles, including assets of all Affiliates

Covered entities will find that there are requirements to establish Cybersecurity Programs led by a CISO. One such requirement will detail the need for an established and written Cybersecurity Policy, in which these new technical requirements can be found. As a whole these stipulations aim to provide a full picture of protection, detection and the remediation of a breech.

Combat Cyber Attacks Holistically

SecureAuth is uniquely positioned to help with many aspects of the proposed regulation: SecureAuth can offer automated risk assessment through adaptive authentication through each authentication attempt. Whether a user is attempting to access the network over VPN, connecting to a SaaS application, or an internal server SecureAuth can provide 10 layers of adaptive authentication. These layers remain transparent to the connecting user to maintain the user experience, while ensuring that Security policies are thoroughly maintained with each transaction.

One of these layers inspects the privileges of the authenticating user to ensure each Privileged user is compliantly authenticated. This will allow for non-privileged users to continue without impact. Similarly, 3rd parties can be identified and maintained with separated adaptive policies. The authentication for a 3rd party can be strengthened and if required segregated from specified environments.

Additionally, as transactions are seen risky SecureAuth can challenge the user with multi-factor authentication. This is explicitly called for within the regulation, and SecureAuth offers over 25 methods to ensure each user can efficiently maintain access with these new security requirements. Our ultimate goal is to provide users a passwordless experience with applications by providing adaptive layers and simplified MFA to streamline the user experience.

With each access attempt (whether positive or failed) SecureAuth provides authentication logs in granular detail. This can streamline required audits and can provide clarity during penetration testing. With each layer of adaptive authentication, any SIEM or logging server can be fed precise detail regarding authentication transactions.

A challenge with this regulation can be taking the list of requirements and applying these to established applications. With SecureAuth’s REST APIs, SecureAuth providing OIDC & OAuth Authorization, or SecureAuth’s SAML consumer plugins, the values provided by SecureAuth can be immediately built into any application. These platforms can be infinitely scaled and are flexible to fit into any existing architecture.

* Charles Dickens is not an actual acquaintance, wording used for dramatic effect.

Request a demo and see how SecureAuth prevents the misuse of stolen credentials 


  • Financial

Ready for a Demo?

Eliminate identity-related breaches with SecureAuth!