Four Steps to NYDFS 500 Compliance

Twitter: @JannineMahoneFS

Year upon year, regulatory responsibilities increase for financial services institutions.

Non-compliance penalties are high. But so is the operational expense of attempting to comply with these new regulations.

The New York Department of Financial Services (DFS) Title 23 of the New York Codes, Rules, and Regulations (NYCRR) Part 500—also known as NYDFS 500¹—is a prime example of a new responsibility you now must carry. As it went into effect last year, on March 1, 2017, you need a plan on how to comply with NYDFS deadlines and milestones to minimize the cost and organizational pain.

Compliance costs and complexity are rising

Since the 2008 financial crisis, banks globally have paid more than $321 billion in fines² because they failed to meet the demands of the growing multitude of regulations. But it’s not just the fines that add up. The cost of complying with the ever-growing pile of regulations is growing, too.

Compared to pre-financial crisis spending, the operating costs of compliance have increased by more than 60%³ for both retail and corporate banks. A full 89% of financial services firms⁴ believe compliance costs could more than double within the next five years. Where previously financial services institutions spent 4% of gross revenue on compliance, they expect this to increase to 10% by 2022⁴.

When the NYDFS 500 was announced in February 2017, yet another set of compliance mandates was left at your doorstep.

Complying with the NYDFS 500

The goal of the NYDFS 500 is to ensure that all financial institutions maintain certain minimum cybersecurity standards. That’s because the financial services industry remains a prime target of cybercriminals—both internal and external to your organization—who continue to wreak havoc and cause significant losses for DFS-regulated financial institutions as well as the consumers they serve.

Only 14 pages in length, the NYDFS 500 regulation is not overly prescriptive. Instead, it gives you flexibility to assess your company’s particular risk profile and design a cybersecurity program customized to mitigate those risks. Here are a few quick things to know about the NYDFS 500:

• You must designate a qualified individual to oversee your company’s cybersecurity program
• You must document your incidence-response plan, and notify the DFS within 72 hours of discovering an incident
• You are also required to file an annual certification of compliance.

Flexibility is good. But the broad nature of the mandate coupled with the lack of details can make NYDFS 500 a challenging regulation to comply with.

Forescout can help. Our solutions help you automate compliance with NYDFS 500 by expertly identifying assets on your network, classifying and assessing device hygiene, and helping you identify and mitigate security gaps. We not only help eliminate potentially hefty fines, but also significantly reduce operational costs.

Four steps to compliance

Here are four steps Forescout recommends to help you roll up your shirtsleeves and get to work complying with NYDFS 500.

1. Consider using the Federal Financial Institutions Examination Council Cybersecurity Assessment Tool (FFIEC CAT). FFIEC CAT⁵ is an assessment tool that helps you understand your risk level as well as the maturity of your cybersecurity program. If you’re already using the NIST cybersecurity framework⁶, you’ll see that FFIEC CAT maps to similar controls and goals.
2. Do a thorough risk assessment of your systems. Before you can do this, you need complete visibility into your IT environment, and the ability to know exactly what devices are attached to your network so you can identify potential threats.

   Here is where Forescout shines. Our device visibility platform provides insight into all the diverse types of devices connected to your heterogeneous network—from campus and data center networks, to cloud and operational technology ones. You get transparency into your entire network, which helps you identify potential threats unknown devices may pose to your financial data.

3. Build a resilient cybersecurity program. Once you’ve discovered all the devices on your network, you need to classify these devices. Only then can you effectively segment your network in a way that aligns with your user-access policies and makes sure that only authorized people—or devices—can access network assets.

   Forescout enables you to auto-classify devices—an essential next step in FFIEC compliance—so you can create effective security policies that ensure device compliance, and control access to network resources on a need-to-access basis. Then you can design and build an effective network segmentation program aligned to those policies.

4. Review the New York State security breach reporting process. You’ll also need a formal document that lays out precisely how you will respond to any cybersecurity incidents you are hit with.

Forescout helps you to tear down security silos and unify security management tools across your infrastructure, making formerly disjointed security products work as one. Our unique set of network, security and management interoperability technologies allow you to accelerate your response to incidents and ensure superior security while realizing significant operational efficiencies. So you not only respond much more quickly to breaches, you do so at lower cost while protecting your existing security investments.

In summary

Did you know that one in four firms (26%)⁸ say they must dedicate a compliance professional to spend an entire day each week simply tracking and analyzing changes or additions to the regulatory landscape? Small wonder that more than half (53%) expect the cost of compliance⁸ to increase in the coming year.

As compliance-related costs and risks continue to rise, financial services firms need to prioritize how to best allocate their resources. One way is to take advantage of the latest tools and technologies that help them leverage their investments in legacy security solutions.

Forescout offers such tools to help you automate compliance with NYDFS 500—without having to rip-and-replace your existing security environment.

For more information on ways to achieve NYDSF compliance, download our “Addressing NYDFS Compliance” solution brief.

¹ https://www.dfs.ny.gov/legal/regulations/adoptions/dfsrf500txt.pdf
² https://www.reuters.com/article/us-banks-fines/banks-paid-321-billion-in-fines-since-financial-crisis-bcg-idUSKBN1692Y2
³ https://www2.deloitte.com/us/en/pages/regulatory/articles/cost-of-compliance-regulatory-productivity.html
⁴ https://www.gtnews.com/2017/04/27/financial-services-firms-braced-for-spiralling-compliance-costs/
⁵ https://www.ffiec.gov/cyberassessmenttool.htm
⁶ https://www.nist.gov/cyberframework
⁷ https://its.ny.gov/breach-notification
⁸ https://risk.thomsonreuters.com/content/dam/openweb/documents/pdf/risk/report/cost-of-compliance-2017.pdf