How CAASM Can Help with the New NYDFS Requirements
Originally published by Axonius.
Written by Katie Teitler.
In 2017, The New York Department of Financial Services (NYDFS) enacted its Cybersecurity Regulation designed to help the financial services entities under its purview improve their cyber defenses. The initial regulation outlined tactics and techniques that constitute a comprehensive security program capable of minimizing an organization’s exposure to growing cyber threats.
The first iteration of the regulation gave financial institutions a certain degree of freedom in how requirements could be achieved. Broadly speaking, the rule stipulated that institutions must:
- Conduct annual cyber risk assessments
- Implement basic technical controls across 15 areas, including hardened access controls, data protection, and encryption
- Maintain a current incident response plan
- Notify regulators within 72 hours of a suspected cybersecurity event
- Employ a Chief Information Security Officer (CISO) to help protect information systems and to approve written policies
The regulation has undergone several updates since its inception to ensure that covered entities remain vigilant. The latest proposed amendments were announced on November 9, 2022. The new requirements will be more stringent than in the past and can be grouped into six buckets:
- Increased obligations for larger companies, with the definition of “larger companies” clearly spelled out
- More specificity around the definition of “risk assessment,” and certain accompanying requirements based on individual tailoring per organization
- New technology requirements, including a complete asset inventory and stronger access controls (especially around privileged accounts)
- Enhanced notification requirements
- Expanded governance practices
- Stricter penalties for non-compliance
This post will focus on the requirement for maintaining a cybersecurity asset inventory. But it’s not just a basic asset inventory that’s important here. The amendments to the Cybersecurity Regulation address monitoring and maintenance of data governance, access controls, unpatched software, end-of-life technology management, vulnerability and risk management, and more — all things that are part and parcel of managing an asset inventory. In other words: comprehensive cybersecurity asset management.
The amendments, designated as the “Proposed Second Amendment to 23 NYCRR 500” include:
“As part of its cybersecurity program, each covered entity shall implement written policies and procedures designed to ensure a complete, accurate and documented asset inventory. The asset inventory shall be maintained in accordance with written policies and procedures. At a minimum, such policies and procedures shall include:
(1) a method to track key information for each asset, including, as applicable, the following: (i) owner; (ii) location; (iii) classification or sensitivity; (iv) support expiration date; and (v) recovery time requirements. 12 (2) the frequency required to update and validate the covered entity’s asset inventory.”
Is asset inventory enough?
Cybersecurity asset management is just part of a larger picture, one that is cyber asset attack surface management, or CAASM for short. CAASM, for its part, rolls up into continuous threat exposure management (CTEM), a term becoming increasingly important for organizations that want to holistically address the cyber risks targeted at their technology landscapes.
Why is this important? It’s important because asset management is not simply a practice to count all the things — all the hardware, software, users, cloud environments, SaaS applications, CVEs, configurations, policies, patches, etc. — in a digital ecosystem. Instead, asset management serves the purpose of allowing organizations to:
- Identify or validate and classify all assets
- Surface asset-related vulnerabilities and risk
- Track and manage asset-based threat exposure over time
- Take remediation action (when appropriate)
For financial entities subject to the NYDFS Cybersecurity Regulation, the proposed amendments put a clear focus on understanding and controlling assets — not just finding them. And though increased mandatory controls and practices will get organizations much of the way there, the larger picture must be on how devices, users/identities, access controls, SaaS apps, cloud instances, data repositories, vulnerabilities, and more all relate to other assets in the organization’s infrastructure.
Without clear, comprehensive asset management — a capability that aggregates and correlates data from all deployed technology in an organization’s ecosystem and provides a single view of the environment’s security state — companies cannot expect to manage their attack surface or threat exposure.
Sign up to receive CSA's latest blogs
This list receives 1-2 emails a month.
Cascading and Concentration Risk: How do They Impact Your Digital Supply Chain?