Cybersecurity is in the news everyday now – and that is certainly going to continue. It is frequently noted by experts that being compliant does not mean secure, but by instituting regulations you will encourage those organizations that have done very little to begin down the path to becoming more secure.
New York State is taking the lead in creating serious Cybersecurity regulations and they are targeting financial firms to start. The NY State Department of Financial Services (DFS) initially proposed regulations that were to take effect on January 1, but after reviewing input from a number of the affected organizations; they have made modifications and the new effective date is March 1.
This “first in nation” regulation will require banks, insurance companies, and other financial services institutions regulated by DFS to establish and maintain a cybersecurity program designed to protect consumers and ensure the safety and soundness of New York State’s financial services industry.
The overall vision of this legislation looks to create an environment where the companies covered by DFS will have better controls of the Information Systems and Nonpublic Information that they have; reduce risks from Cyber events; and present a framework for reporting and validation of the programs outlined in the legislation.
One of the most important and significant programs that covered institutions must have in place is a valid Cybersecurity Program. This plan outlines not only what information the organization has; who has access; but what efforts are necessary to control and secure the data and systems.
By conducting a Risk Assessment, the organization can identify what areas of the regulations they need to comply with. There are many components of the regulations that depend on what the risk profile of the organization looks like in determining the policies and procedures that would need to be implemented and followed to insure compliance.
The Cyber program must identify and assess internal and external risks; use defensive policies and procedures to prevent unauthorized access and use; and detect, respond, recover and report on any events. By implementing a Cybersecurity Policy that includes more than a dozen areas that need to be addressed, from internally focused categories to third party management; there are a significant number of complex policies and procedures that must be outlined, implemented and approved by senior members or boards of the covered entity.
To insure compliance and implementation of these policies and programs, DFS is requiring that a Chief Information Security Officer (CISO), be identified and that he or she is responsible for not only implementing the appropriate programs, policies and procedures, but must also report to the governing board of the organization to the effectiveness of the program and any Cyber events that have taken place. The CISO must be a “qualified individual” that has been designated by the covered entity.
Inclusive of the plan there needs to be penetration testing; auditing; application security; and training of qualified staff. Additionally, the covered entity must ensure that Third Party Providers that have access to a covered entity’s Information Systems and Nonpublic Information have equal controls and practices to ensure that the covered entity’s systems and data are fully secure.
The regulation has outlined requirements for Multi-Factor Authentication; data retention; encryption; training and Incident Response.
This is a comprehensive regulation that outlines specifics for the covered entities. Most large institutions will already have most of these programs and policies in place. But, a significant number of organizations will not have the qualified staff to create, institute and manage these programs.
Fortunately, the DFS is allowing them to utilize third parties to handle that for them. While the responsibility still falls to the covered entity, they can engage with outside providers to put these programs in place.
These programs are not easily prepared or executed. The regulation reaches into many areas, from general data governance to specifics about penetration testing. A comprehensive plan cannot be created from some on-line template nor can a risk assessment be done through a simple tool.
As stated in the regulation a “qualified” individual must oversee these programs and state to their board and DFS that appropriate measures are in place and that they are effective. This is not a job for your System Administrator that helps when your email goes down or you can’t print.
Given the complexity and broad scope of the regulation it would be most appropriate for organizations that do not have the talent on staff or significant IT security teams to engage an outside firm to create, implement, manage and report on the variety of detailed components of the regulation.
Similar to the regulations that are forthcoming in the EU around General Data Protection Regulation (GDPR); these regulations are the first of what we would presume to be many that will be coming to the US. It’s not only financial firms that will be covered, they are but the first, it is clear that many other organizations have vulnerable systems and nonpublic information that needs to be secured.
(About the Author: Bill Noonan oversees sales, marketing and business development for SPHERE Technology Solutions).
Register or login for access to this item and much more
All Information Management content is archived after seven days.
Community members receive:
- All recent and archived articles
- Conference offers and updates
- A full menu of enewsletter options
- Web seminars, white papers, ebooks
Already have an account? Log In
Don't have an account? Register for Free Unlimited Access