September 4, 2018 - Eighteen month transitional period ends. Covered Entities are required to be in compliance with the requirements of sections 500.06, 500.08, 500.13, 500.14(a) and 500.15 of 23 NYCRR Part 500.
Effective March 1, 2017, the New York State Department of Financial Services (NYDFS) promulgated 23 NYCRR Part 500, a regulation establishing cybersecurity requirements for financial services companies.
Beginning today, September 4, 2018, Sections 500.06, 500.08, 500.13, 500.14(a) and 500.15 of 23 NYCRR Part 500 will be enforceable.
Three particular sections in the regulation are relevant to many of our readers: 500.05, 500.06, and 500.08. See them copied below with some quick comments from us after each about how HackerOne can help.
Section 500.05 Penetration Testing and Vulnerability Assessments.
The cybersecurity program for each Covered Entity shall include monitoring and testing, developed in accordance with the Covered Entity’s Risk Assessment, designed to assess the effectiveness of the Covered Entity’s cybersecurity program. The monitoring and testing shall include continuous monitoring or periodic Penetration Testing and vulnerability assessments. Absent effective continuous monitoring, or other systems to detect, on an ongoing basis, changes in Information Systems that may create or indicate vulnerabilities, Covered Entities shall conduct: (a) annual Penetration Testing of the Covered Entity’s Information Systems determined each given year based on relevant identified risks in accordance with the Risk Assessment; and (b) bi-annual vulnerability assessments, including any systematic scans or reviews of Information Systems reasonably designed to identify publicly known cybersecurity vulnerabilities in the Covered Entity’s Information Systems based on the Risk Assessment.
Augmenting your penetration testing schedule with hacker-powered penetration testing is a best practice adopted by many.
According to the 2018 Hacker-Powered Security Report, Financial Services & Insurance continues to adopt hacker-powered security. With 8% of all new programs, the industry consistently ranks in the top four in adoption and far outpaces other industries, such as Government, Retail & Ecommerce, and Transportation.
Section 500.06 Audit Trail
(a) Each Covered Entity shall securely maintain systems that, to the extent applicable and based on its Risk Assessment: (1) are designed to reconstruct material financial transactions sufficient to support normal operations and obligations of the Covered Entity; and (2) include audit trails designed to detect and respond to Cybersecurity Events that have a reasonable likelihood of materially harming any material part of the normal operations of the Covered Entity. (b) Each Covered Entity shall maintain records required by section 500.06(a)(1) of this Part for not fewer than five years and shall maintain records required by section 500.06(a)(2) of this Part for not fewer than three years.
Maintaining a robust secure web form for the external researcher community to contact you with vulnerabilities they may find is part of this section. HackerOne Response is the industry standard in use by Goldman Sachs, General Motors, and The U.S. Department of Defense. It makes any audit efforts seamless when all correspondence related to a Cybersecurity Event from external parties submitting vulnerability information to your organization is in one safe place. Read our Vulnerability Disclosure Policies (VDP): Guidance for Financial Services to learn more.
Section 500.08 Application Security.
(a) Each Covered Entity’s cybersecurity program shall include written procedures, guidelines and standards designed to ensure the use of secure development practices for in-house developed applications utilized by the Covered Entity, and procedures for evaluating, assessing or testing the security of externally developed applications utilized by the Covered Entity within the context of the Covered Entity’s technology environment.
Thoughtful organizations are leveraging the power of more with hacker-powered pen tests focused on third-party assets, or even requiring vendors to establish a vulnerability disclosure policy and process (Google inquires about this for all its vendors).
Dropbox held a live hacking event with specific third-party vendor apps in scope. Within one hour of live hacking, an RCE was reported for one of the vendor’s assets. The vendor was immediately notified and grateful for the efficiency and professionalism of the hacker community.
The Auto-ISAC group has also taken a leadership position in relation to VDPs, collaborating with HackerOne on a vulnerability disclosure policy workshop for their members.
For further reading on 23 NYCRR Part 500, check out this Threatstack post which reviews it more broadly. Stay tuned in to our blog and resources page for more analysis and data on the financial services industry adoption and work in the hacker-powered security ecosystem and download our VDP Guide to Financial Service Organizations today.