A Practical Approach to the New NYDFS Regulation
Now that the first compliance deadline for the New York State Department of Financial Services’ new cybersecurity regulation has gone into effect, what do banks and financial institutions of all sizes need to know? In addition to the straightforward requirements such as appointing a CISO and implementing a robust cyber program, many of the new tasks will require a much heavier and time intensive lift. While this may be viewed as just another of many for the major banks, smaller institutions with already constrained resources will be put to the test. This article will explore the major requirements and their potential impact.
Chief executives and decision makers at small-to-mid-sized New York-based financial institutions and banks may not be in a “New York State of Mind” following the New York State Department of Financial Services’ (DFS) new cybersecurity regulation. In full effect since March 2017, the regulations affect thousands of financial institutions and feature several stages of compliance through February of 2018.
These first-in-the-nation protections lay out a mandate of minimum cybersecurity standards that banks and financial institutions must adhere to so they can match the relevant risks and keep pace with the technological advances of today’s hackers. As of the first compliance deadline – August 28, 2017 – the cybersecurity regulations demand that financial institutions must:
- Uphold a board-approved cybersecurity program designed to protect the confidentiality, integrity, and availability of the covered entity’s information systems
- Retain a Chief Information Security Officer (CISO)
- Conduct periodic risk assessments and annual penetration tests to identify vulnerabilities and then implement all necessary controls
- Form a detailed security incident response plan to notify regulators within 72 hours of a cybersecurity or data security incident
- Present a certification from senior compliance officers that the company’s controls are adequate (provision will take place in February 2018)
While these measures appear to be a step in the right direction, as they force organizations to anticipate and proactively prepare for evolving cyber attacks and ensure the adequate protection of consumer information, the requirements seem to be designed in favor of larger financial institutions. In fact, the largest players in the industry may be the only ones with enough resources and funds to comply within the timeline required.
Most large financial institutions, such as the top five full-service global investment banks -JPMorgan Chase, Goldman Sachs, Bank of America Merrill Lynch, Morgan Stanley, and CitiGroup – were already well-prepared for the new cybersecurity regulation. It is very likely that the changes required had little impact on these organizations as many of the components fell under additional industry standards that these big corporations were previously subject to. However, it is the smaller financial institutions – ones with fewer available resources, limited budgets, technology, and skilled security personnel in place to adequately protect themselves – that are most vulnerable to cyber threats. As a result, these institutions with the greatest risk and already constrained resources, are hit the hardest as they strain to comply with the regulations.
As a direct result of the new requirements, small financial organizations must move quickly to develop an effective cybersecurity approach that does not exhaust their existing technical resources.
Below are the major requirements set by the state of New York, as well as advice to help executives of smaller banks and financial institutions to get their bearings and set a clear path forward while remaining in compliance.
Recommendation: Take it to the board. Organizations must develop and uphold a board-approved cybersecurity program designed to protect the confidentiality, integrity, and availability of all sensitive information.
Leadership on cyber issues and the new regulation must come from the top. That means getting executive leadership and the board involved to set a comprehensive strategy for managing cyber risk. Following guidelines from PCI-DSS, SANS Critical Cybersecurity Controls, and OWASP Top 10 can help ensure that an organization’s cybersecurity program leverages industry best practices and is actionable. Utilizing these resources as a base model for a cybersecurity program makes a great deal of sense, instead of trying to build an entirely new program from scratch. One should also note that having a protocol in writing and signed off on by a board doesn’t actually make the organization any more secure. There needs to be a real plan to map to, execute, and ensure compliance deadlines are met.
Recommendation: Promote or hire a CISO to align on security strategy and protect critical information.
Having a CISO in place is of utmost importance to NY regulators because their main role is the planning and execution of the board-approved cybersecurity program. For banks with limited personnel, this can mean appointing an existing employee who can wear dual hats. But they need to be careful with this approach. First, CISO’s must have an extensive understanding of the security risks, threats, and vulnerabilities an organization faces but also have the skill set to implement the right techniques and set procedures to truly strengthen an organization’s cyberdefenses. The addition of this new role includes a variety of organizational changes for small financial institutions, not only to company structure but also culture. Merely appointing a CISO or updating someone’s job title does not mean an organization is any more secure then it was before. While timely in the front end, a hunt for the right person for the job must be conducted – ultimately saving time, money, and potentially the company’s reputation in the long run.
Recommendation: Don’t set it and forget it. Periodic risk assessments and annual penetration testing are critical to successful security protocol.
Once a plan is in place and communicated to the organization, it will be key to test it on a semi-regular basis to identify vulnerabilities and implement the necessary controls. To guarantee results of periodic risk assessments and annual penetration tests are not skewed in any way they should be performed by an independent third party. This way they will only represent factual, actionable information and meet necessary requirements. It is also recommended to perform daily, weekly, and monthly penetration tests in-house, to ensure that no new vulnerabilities are introduced in recent updates. A strong update program also keeps on top of applying vendor patches – sooner rather than later – as they are normally fixing vendor-induced vulnerabilities that have the potential to lead to serious risks.
Recommendation: Time is of the essence. When a breach occurs, organizations must implement a security incident response plan and report occurrences to authorities within 72 hours.
If you look at the recent data breaches, a majority of them haven’t been carried out in quick, overnight attacks. In fact, oftentimes the hackers lay in wait within breached networks for months without being detected. As a result, organizations need to put controls in place to reduce the time from infection to detection; reducing it to minutes or seconds, instead of weeks or months. After all, the bottom line is clear – the longer hackers remain resident, the more damage they will cause. Under the new regulations, financial institutions must have a written incident response plan that ensures the firm mitigates the effects of a cybersecurity event and reports any incident to the federal authorities within 72 hours of detection. No longer can companies sit on the information that they have been breached for months, as we saw with Equifax, Target, Yahoo, and so many others.
Recommendation: Implement the appropriate controls and have them verified and certified by compliance officials.
Without a proper certification process, organizations and senior executives can be held liable in the event of a breach. The certification process is critical to ensure an organization can prove the concepts of due diligence and due care are being completed in full. However, there is no defined baseline for compliance. Because these concepts can be somewhat subjective, going above and beyond the concepts will help if an organization ever faces a class-action lawsuit due to the damages caused to the consumer as a result of a data breach. There is no harm and only upside to keeping ample records of the adequate controls and the ongoing actions taken to ensure full compliance and security. Like security measures as a whole, it’s best to practice preparedness at all times.
New York regulators have put a stake in the ground for financial institutions to protect their customers’ information, regardless of the hardship it may cause. Small organizations will need to get organized quickly and evaluate their security foundation – or face the consequences. Hopefully smaller financial institutions at risk of not meeting the protocols can heed the call and follow the above tips to significantly minimize the threat of ignoring these regulations.