Woman making expressive hand movements behind computerVendor Contracts and Legal Requirements Regarding Pen Testing and Vulnerability Assessments

Vendor Contracts and Legal Requirements Regarding Pen Testing and Vulnerability Assessments

More and more frequently, penetration testing and vulnerability assessments are making it into news headlines and advertisements.  Let’s examine a few questions you should ask before signing up for a pen test or vulnerability assessment:

·        What are they?

·        How frequently should they be run?

·        Who offers these tests?

·        Contractual terms to consider?

What Are They?

Pen tests test security from the outside or inside.  Some regulations require them, such as the New York State Cybersecurity Regulation (23 NYCRR500; the “Regulation”).  The Regulation defines penetration testing as a “methodology in which assessors attempt to circumvent or defeat the security features of an Information System by attempting penetration of databases or controls from outside or inside” the system.  Imagine it’s a basketball practice or hockey scrimmage and the coach’s focus is on gauging the strength and reliability of the defense in preventing the goals or baskets.  The intention is to identify the vulnerabilities and then try to exploit them, i.e., try to exploit the system.

By contrast, a vulnerability assessment is systematic review of information systems in order to identify cybersecurity vulnerabilities, quantify and/or consider the reasonable risk posed by vulnerabilities and potentially prioritize the levels of threat.  The goal is to identify potential risks.  The Regulation defines a vulnerability assessment as “systematic scans or reviews of Information Systems reasonably designed to identify publicly known cybersecurity vulnerabilities” in the Information Systems.

How Frequently Should They Be Run?

Under the Regulation, penetration testing must be performed annually, focusing on the relevant risks identified in your Risk Assessment.

Vulnerability assessments must be performed biannually, based on the Risk Assessment results.

NIST (National Institute for Standards and Technology) provides various vulnerability validation techniques, which include pen testing and vulnerability assessments.

Who Offers These Tests?

Who doesn’t?  Nearly every company in any way related to technology will offer this service.  Why?  It is inexpensive, a good first step to understanding a company, and the tests are relatively easy to perform.  It is important to find trusted, experienced vendors who know the purpose and goals of these tests.  Some parts of the tests are automated, and others require a sufficient degree of skill – so experience and knowledge will be important in selecting a vendor.

Contractual Terms to Consider

Because an organization must share a lot about their business and expose their systems during pen testing and vulnerability assessments, a vendor should be chosen thoughtfully, and contracts entered into carefully.

Initially, what is the purpose of performing the tests, are they legally required, are they part of a larger risk assessment and analysis?  What should the end product report look like?

Confidentiality is a must-have provision.  The scope of the project should be well defined and planned so as not to harm business operations or create new vulnerabilities.  Make sure the vendor has the appropriate insurance in place.  Most importantly, there must be well-defined risk allocation provisions.  Plan also for what the end of the project will look like and results and next steps.

Again, key ingredients of a vendor contract are confidentiality, scope, vendor insurance, risk allocation provisions and results/next steps.

The bottom line?  Know your vendor, get referrals from trusted persons in the space, and make sure the right legal obligations are in place.  The attorneys at Beckage PLLC can help you navigate through pen testing and vulnerability assessment from drafting the vendor agreement to performing a gap analysis of your current practices and policies and updating them accordingly.

DISCLAIMER:  This alert is for general information purposes only.  It does not constitute legal advice, or the formation of an attorney-client relationship, and may not be used and relied upon as a substitute for legal advice regarding a specific issue or problem.  Advice should be obtained from a qualified attorney or practitioner licensed to practice in the jurisdiction where that advice is sought.  If you have any questions, please contact an attorney at Beckage: www.beckage.com or info@beckage.com.

Attorney Advertising: Prior results do not guarantee a similar outcome.

Black and White upward view of buildings in cityNext Compliance Milestone Approaches Under the NYS DFS Cybersecurity Regulation

Next Compliance Milestone Approaches Under the NYS DFS Cybersecurity Regulation

The New York State Department of Financial Services issued a Cybersecurity Regulation (23 NYCRR 500)(“Regulation”) that went into effect on March 1, 2017.  The Regulation carried with it several compliance milestones applicable to “Covered Entities” under the Regulation, which includes those entities that are operating or required to operate under the New York insurance, finance and banking laws.  

SUMMARY OF COMPLIANCE MILESTONES TO DATE

The Regulation first required Covered Entities to establish a number of Cybersecurity and IT policies and procedures by August 28, 2017.  Next,Covered Entities were required to submit a Certification to the Department of Financial Services by February 5, 2018, that they complied with the first milestone under the Regulation.  By March 1, 2018, the Regulation required Covered Entities to additional CISO reporting,Annual Penetration Testing and Vulnerability Assessments, Risk Assessments and implement Multi-Factor Authentication where necessary based on the results of the Risk Assessments.

The most recent milestone was on September 3, 2018.  Covered Entities were responsible for establishing audit trails to reconstruct material financial transactions creating policies and procedures around in-house developed applications and assessing the security of externally developed applications.  In addition, Covered Entities were required to establish policies on Data Retention limitations, continue Cybersecurity training and monitoring and develop procedures for the encryption of Non-Public Information that is transmitted over external networks and at rest, unless infeasible.  

NEW MILESTONE – MARCH 1, 2019 DEADLINE

The next compliance milestone pertains to Third Party Service Providers. This milestone must be met by March 1, 2019 and involves the oftentimes complex process of evaluating the Third-Party Service providers utilized by your company.  This process can be a cumbersome and time-consuming given to the complexity of the relationships your company may have with a variety of Third-Party Service Providers.  Accordingly, it is recommended that you begin this process as soon as possible as there are often several components to the analysis.  

SUGGESTED NEXT STEPS

Moving towards the March deadline, Covered Entities should assess the risk that each Third-Party Service Provider poses to their data and systems and then determine an effective solution to address those risks.  It is insufficient to rely solely on the Certification of Compliance submitted by theThird-Party Service Providers the DFS under the Regulation as their only means of evaluating their compliance with this milestone.  

Covered Entities should take steps to determine what, if any, Third Party Service Providers are being utilized by the company, evaluate them as it relates to security, and review the relevant policies and procedures. Covered Entities should consider whether or not it makes sense to require Third Party Service Providers to carry adequate insurance including Cyber Insurance to cover both the entity and the Covered Entity should a breach occur.  

ADDITIONAL INSIGHT INTO THE REGULATION

It is helpful to note that the DFS regularly answers FAQs pertaining to the DFS Cybersecurity Regulation that provide valuable insight.  The complete list of FAQs can be found at the following link: https://www.dfs.ny.gov/about/cybersecurity_faqs.htm

The contents of  23 NYCRR Part 500 can be found here: https://www.dfs.ny.gov/legal/regulations/adoptions/dfsrf500txt.pdf

The attorneys at Beckage PLLC are fully equipped to help you navigate through the Third-Party Service Provider Risk Assessment and all other components required under the Regulation by offering practical legal advice that will help arm your company with the knowledge to assist in making sound business decisions.  

DISCLAIMER: This alert is for general information purposes only. It does not constitute legal advice, or the formation of an attorney-client relationship, and may not be used and relied upon as a substitute for legal advice regarding a specific issue or problem. Advice should be obtained from a qualified attorney or practitioner licensed to practice in the jurisdiction where that advice is sought.  If you have any questions, please contact an attorney at Beckage. www.beckage.com.or info@beckage.com.

Attorney Adverting: Prior results to not guarantee a similar outcome.