New regulation from New York state provides both an opportunity and a challenge for cyber risk management: an opportunity to increase visibility of a cybersecurity program and the challenge of assessing, measuring, and managing risk in a more consistent, quantified manner. The New York Department of Financial Services (NYDFS) released a new set of regulations, 23 NYCRR 500 (or “Part 500”), which has a wide scale and scope in the financial services industry (and beyond).
Specifically, Part 500 requires each organization to “assess its specific risk profile and design a program that addresses its risk in a robust fashion.” Terbium Labs has built a technology to not only assess this exposure in an automated fashion, but also provide regular reports analyzing your organization’s data profile on the dark web. The regulations outline the implementation and maintenance of a cybersecurity program and policy: covered entities must identify cyber risks, maintain customer privacy, implement policies to protect against unauthorized access or use, detect and respond to cybersecurity events, and mitigate and recover from cybersecurity events, restoring normal operations. (To see if Part 500 applies to your organization, DFS provides a comprehensive list of supervised institutions, by category and list.)
This regulation also mandates the designation of a Chief Information Security Officer (CISO), annual certification to confirm compliance and regular penetration testing, among other components. Part 500 is the latest in a trend of rising regulatory expectations around improved data governance, controls, and disclosure. The requirement of both board and CISO attestation indicates that regulators expect to monitor and challenge organizations’ reported progress. In a recent interview with the Financial Times, the Superintendent of DFS, Maria Vullo, described how this regulation creates a sense of urgency:
…require a board-level director or a senior manager to sign on the dotted line, attesting to the effectiveness of the company’s controls. Previous guidance was aimed a few notches lower, at the chief compliance officer. You need people with the purse strings involved in the process.
Since the regulation’s introduction last year, organizations have had one year to transition their program to comply – specifically, with key provisions of the regulation (500.04(b), 500.05, 500.09, 500.12, and 500.14(b)). There are three areas which have immediate relevance to monitoring the dark web for sensitive data exposure.
- 500.04(b) Report from the Chief Information Security Officer. This section requires a written report from the CISO to the board, which discusses the cybersecurity program and material cybersecurity risks. An important part of this section requires “the confidentiality of Nonpublic Information and the integrity and security of the Covered Entity’s Information Systems.”
- Section 500.05 Penetration Testing and Vulnerability Assessments. This section mandates monitoring and testing of program effectiveness. Simply finding the exposed sensitive data is insufficient; a thorough cyber security risk management approach requires ongoing monitoring. According to the DFS Frequently Asked Questions (#28), “effective continuous monitoring could be attained through a variety of technical and procedural tools, controls and systems.” Importantly, the purpose of monitoring is to detect changes or activities that may indicate vulnerabilities; simply reviewing logs and configurations, for examples, would not constitute effective continuous monitoring.
- Section 500.09 Risk Assessment. Specifically, the regulation states that the covered organization “shall conduct a periodic Risk Assessment of the Covered Entity’s Information Systems sufficient to inform the design of the cybersecurity program.” This section highlights that the risk assessment (and corollary controls) need to “respond to technological developments and evolving threats” as well as risks to business operations, “Nonpublic Information collected or stored,” and “…the availability and effectiveness of controls to protect Nonpublic Information.”
Each of these areas—reporting by the CISO, vulnerability assessment, and risk assessment—have a component connected to sensitive data on the dark web. How should a cybersecurity program allocate resources to manage risks associated with the dark web? A first step is to identify and assess risks to the security or integrity of nonpublic information, risks which include data accessible to and held by third parties. Additionally, how should a security program measure effectiveness of data protection? Whether by theft, negligence, loss, or otherwise, when your organization’s sensitive data leaves your systems, our technology helps test the effectiveness of those data protection controls. Because Terbium Labs approaches the dark web as an underground economy for stolen and lost data, our technology continuously monitors for appearance of sensitive, nonpublic information.
In some aspects, Part 500 goes beyond current regulations, such as the Federal Financial Institutions Examination Council (FFIEC) guidance, with a broader definition and required protection of “nonpublic information.” In light of these new requirements, how should organizations tailor cybersecurity policies to their unique risks and needs? Here are two steps to get started with approaching compliance for Part 500:
- Inventory. Identifying and locating sensitive data is a process that requires both information classification and governance. Knowing exactly which data types are considered “nonpublic” may require a close examination of information classification hierarchy – data governance may not be exciting, but it is crucial.
- Stakeholders. Each organization is different, however, understanding the set of stakeholders is key to your organization’s compliance. Beyond the Chief Information Security Officer (and their team), other stakeholders may include: general counsel, chief compliance officer, chief privacy officer, and data governance officer.
When it comes to assessing the risk of sensitive data exposure on the dark web, Terbium Labs takes a risk management approach to help organizations understand not only which of their data might be exposed, but also empower them to allocate resources and build programs in an effective, efficient way.