Category Archives: Uncategorized

NY DFS Releases Cybersecurity Requirements for Financial Service Companies

cybersecurity regulationsNew cybersecurity regulations are set to go into effect on March 1, and NY-based financial firms need to be prepared.

Announced  in September 2016, the new cybersecurity regulation, known as 23 NYCRR 500, was developed to “guarantee the financial services industry upholds its obligation to protect consumers and ensure that its systems are sufficiently constructed to prevent cyber-attacks to the fullest extent possible.”

23 NYCRR 500 requires each company to “assess its specific risk profile and design a program that addresses its risks in a robust fashion.”

The regulation states, “it is critical for all regulated institutions that have not yet done so to move swiftly and urgently to adopt a cybersecurity program and for all regulated entities to be subject to minimum standards with respect to their programs.”

Organizations covered by the new cybersecurity regulation include banks and trust companies, insurance companies, mortgage lenders, investment companies, brokers and other financial services providers. There are exemptions for smaller organizations, but best practices encourage firms of all sizes to adopt these policies as every organization is at risk of a devastating cyber attack.

The new cybersecurity regulatory regime will go into effect March 1, 2017. As originally proposed, there is a 180-day grace period for companies to comply.

Keep in mind that this regulation requires each company to assess its specific risk profile and design a program that addresses the risks in a robust fashion. The best approach is to meet with a competent and trusted cybersecurity advisor, such as ACE IT Solutions, to discuss a plan tailored for your organization.

Here is a general list of cybersecurity protections that firms must address in order to meet compliance requirements. Details are available here:  http://www.dfs.ny.gov/legal/regulations/proposed/rp500t.pdf

  • Cybersecurity Program –
    Each covered entity shall maintain a cybersecurity program designed to protect the confidentiality, integrity and availability of the firm’s information systems. According to 23 NYCRR 500, “Senior management must take this issue seriously and be responsible for the organization’s cybersecurity program and file an annual certification confirming compliance with these regulations.”
  • Risk Assessment –
    Each covered entity shall conduct a periodic risk assessment of the covered entity’s information systems sufficient to inform the design of the cybersecurity program as required.
  • Cybersecurity Policy –
    Each covered entity shall implement and maintain a written policy or policies, approved by a senior officer or the firm’s board of directors. ACE IT Solutions can help your firm develop cybersecurity policies that meet compliance regulations.
  • CISO – 
    Each covered entity shall designate a qualified individual responsible for overseeing and implementing the firm’s cybersecurity program and enforcing its cybersecurity policy – this individual can be an employee or a third-party service provider such as ACE IT Solutions.
  • Penetration Testing and Vulnerability Assessments – 
    The cybersecurity program for each covered entity shall include monitoring and testing, developed in accordance with the firm’s risk assessment, designed to assess the effectiveness of the firms cybersecurity program. The monitoring and testing shall include continuous monitoring or periodic penetration testing and vulnerability assessments.
  • Audit Trail – 
    Each covered entity must retain for five years, an audit trail designed to detect and respond to cybersecurity events that have a reasonable likelihood of materially harming any material part of the normal operations of the firm.
  • Access Privileges – 
    Each covered entity shall limit user access privileges to information systems that provide access to nonpublic information and shall periodically review such access privileges.
  • Cybersecurity Personnel –
    Each covered entity shall use qualified cybersecurity personnel or a third-party service provider, such as ACE IT Solutions, to manage cybersecurity risks and perform or oversee the performance of the core cybersecurity functions specified and provide cybersecurity personnel with cybersecurity updates and training sufficient to address relevant cybersecurity risks.
  • Third-party – 
    Each covered entity shall implement written policies and procedures designed to ensure the security of information systems and nonpublic information that are accessible to, or held by, third party service providers.
  • Multi-factor Authentication (MFA) – 
    Each covered entity shall use effective controls, which may include multi-factor authentication or risk-based authentication, to protect against unauthorized access to nonpublic information or information systems
  • Data Retention –
    Covered entities must have policies and procedures for securely disposing of “non-public information” on a periodic basis.
  • Training and Monitoring –
    In addition to written cybersecurity policies and procedures, each entity shall provide for regular cybersecurity awareness training for all personnel.
  • Encryption –
    Each covered entity shall implement controls, including encryption, to protect nonpublic Information held or transmitted by the firm both in transit over external networks and at rest.
  • Incident Response Plan –
    Each covered entity shall establish a written incident response plan designed to promptly respond to, and recover from, any cybersecurity event materially affecting the confidentiality, integrity or availability of the firm’s information systems or the continuing functionality of any aspect of the firm’s business or operations.
  • Notification –
    Covered entities must notify the Department of Financial Services within 72 hours of making a determination that a cybersecurity event of the following types has occurred: (1) a cybersecurity event that has a reasonable likelihood of materially “harming” the normal operations of the covered Entity and (2) a cybersecurity event that requires notice to be provided to any governmental or supervisory body or self-regulatory agency.

ACE IT Solutions can help your board members or senior officers understand the key components of these regulations and create a framework for reviewing a cybersecurity policy. We can also help your firm execute the regulations so that your firm will remain secure and stay in compliance.

Contact us to discuss how 23 NYCRR 500 affects your firm.

  • This field is for validation purposes and should be left unchanged.

View the comprehensive list of requirements here: http://www.dfs.ny.gov/legal/regulations/proposed/rp500t.pdf

Simplify Cybersecurity with a Proactive Approach to Security Threats

ACE IT Solutions’ cybersecurity partner, IBM Security, has launched a new team of global experts – IBM X-Force IRIS, to help clients prepare for and rapidly respond to security threats with best-of-breed security solutions. Our seasoned experts and consultants deliver threat intelligence services, incident preparedness planning and onsite response services to help organizations stay ahead… Continue Reading

Restore Systems After Ransomware without Paying

The San Francisco Municipal Transportation Authority (SFMTA) was hit with a ransomware attack the morning of Friday, Nov. 25. It is reported that the hacker demanded approximately $73,000 USD to restore operations. Fortunately, the SFMTA had an information technology team in place and backup systems that allowed the SFMTA to bounce back without paying a cent.… Continue Reading

Protecting Your Network From Ransomware: Tips from the FBI

Ransomware is the fastest growing malware threat, targeting users in all industries and businesses of all sizes. On average, more than 4,000 ransomware attacks have occurred daily since January 1, 2016. This is a 300-percent increase over the approximately 1,000 attacks per day seen in 2015. What is Ransomware? Ransomware is a form of malware that… Continue Reading

ACE IT Solutions Nominated for Multiple Hedge Fund Service Awards

New York, NY, 19 September, 2016 — ACE IT Solutions has been nominated as a finalist for several HFMWeek 2016 US Hedge Fund Services Awards, including: Best Outsourced Tech Infrastructure Provider Best Technology for Small and Start-Up Firms Best Technology Firm – Client Service Best IT Security Service The awards showcase the leading hedge fund… Continue Reading

ACE IT Solutions Featured in Special Report: Cybersecurity for Fund Managers

ACE IT Solutions is proud to announced they have been featured in Hedgeweek’s Special Report, “Cybersecurity for Fund Managers.” In the special report, ACE IT Solutions managing partner, Warren Finkel, and Datto VP of Marketing, Carrie Reber, discuss ransomware and how funds can fight back without paying hackers one cent. Companies across all sectors are… Continue Reading

ACE IT Solutions’ Warren Finkel to Moderate Annual Hedge Fund General Counsel & Compliance Officer Summit

Warren Finkel, ACE IT Solutions’ Managing Partner, will be moderating a panel discussion, “OCIE Cybersecurity and Other Market-wide Risks” at the 10th Annual Hedge Fund General Counsel & Compliance Office Summit. Corporate Counsel’s Annual Hedge Fund General Counsel and Compliance Officer Summit provides cutting-edge insights into the latest legal, regulatory and compliance opportunities and challenges faced… Continue Reading