No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Compliance

Compliance is a Tall Order for Small Financial Institutions

by Stephen Gates
November 9, 2017
in Compliance, Featured
laptops on desk

A Practical Approach to the New NYDFS Regulation

Now that the first compliance deadline for the New York State Department of Financial Services’ new cybersecurity regulation has gone into effect, what do banks and financial institutions of all sizes need to know? In addition to the straightforward requirements such as appointing a CISO and implementing a robust cyber program, many of the new tasks will require a much heavier and time intensive lift. While this may be viewed as just another of many for the major banks, smaller institutions with already constrained resources will be put to the test. This article will explore the major requirements and their potential impact. 

Chief executives and decision makers at small-to-mid-sized New York-based financial institutions and banks may not be in a “New York State of Mind” following the New York State Department of Financial Services’ (DFS) new cybersecurity regulation. In full effect since March 2017, the regulations affect thousands of financial institutions and feature several stages of compliance through February of 2018.

These first-in-the-nation protections lay out a mandate of minimum cybersecurity standards that banks and financial institutions must adhere to so they can match the relevant risks and keep pace with the technological advances of today’s hackers. As of the first compliance deadline – August 28, 2017 – the cybersecurity regulations demand that financial institutions must:

  • Uphold a board-approved cybersecurity program designed to protect the confidentiality, integrity, and availability of the covered entity’s information systems
  • Retain a Chief Information Security Officer (CISO)
  • Conduct periodic risk assessments and annual penetration tests to identify vulnerabilities and then implement all necessary controls
  • Form a detailed security incident response plan to notify regulators within 72 hours of a cybersecurity or data security incident
  • Present a certification from senior compliance officers that the company’s controls are adequate (provision will take place in February 2018)

While these measures appear to be a step in the right direction, as they force organizations to anticipate and proactively prepare for evolving cyber attacks and ensure the adequate protection of consumer information, the requirements seem to be designed in favor of larger financial institutions. In fact, the largest players in the industry may be the only ones with enough resources and funds to comply within the timeline required.

Most large financial institutions, such as the top five full-service global investment banks -JPMorgan Chase, Goldman Sachs, Bank of America Merrill Lynch, Morgan Stanley, and CitiGroup – were already well-prepared for the new cybersecurity regulation. It is very likely that the changes required had little impact on these organizations as many of the components fell under additional industry standards that these big corporations were previously subject to. However, it is the smaller financial institutions – ones with fewer available resources, limited budgets, technology, and skilled security personnel in place to adequately protect themselves – that are most vulnerable to cyber threats. As a result, these institutions with the greatest risk and already constrained resources, are hit the hardest as they strain to comply with the regulations.

As a direct result of the new requirements, small financial organizations must move quickly to develop an effective cybersecurity approach that does not exhaust their existing technical resources.

Below are the major requirements set by the state of New York, as well as advice to help executives of smaller banks and financial institutions to get their bearings and set a clear path forward while remaining in compliance.

Recommendation: Take it to the board. Organizations must develop and uphold a board-approved cybersecurity program designed to protect the confidentiality, integrity, and availability of all sensitive information.

Leadership on cyber issues and the new regulation must come from the top. That means getting executive leadership and the board involved to set a comprehensive strategy for managing cyber risk. Following guidelines from PCI-DSS, SANS Critical Cybersecurity Controls, and OWASP Top 10 can help ensure that an organization’s cybersecurity program leverages industry best practices and is actionable.  Utilizing these resources as a base model for a cybersecurity program makes a great deal of sense, instead of trying to build an entirely new program from scratch. One should also note that having a protocol in writing and signed off on by a board doesn’t actually make the organization any more secure. There needs to be a real plan to map to, execute, and ensure compliance deadlines are met.

Recommendation: Promote or hire a CISO to align on security strategy and protect critical information.

Having a CISO in place is of utmost importance to NY regulators because their main role is the planning and execution of the board-approved cybersecurity program. For banks with limited personnel, this can mean appointing an existing employee who can wear dual hats. But they need to be careful with this approach. First, CISO’s must have an extensive understanding of the security risks, threats, and vulnerabilities an organization faces but also have the skill set to implement the right techniques and set procedures to truly strengthen an organization’s cyberdefenses. The addition of this new role includes a variety of organizational changes­ for small financial institutions, not only to company structure but also culture. Merely appointing a CISO or updating someone’s job title does not mean an organization is any more secure then it was before. While timely in the front end, a hunt for the right person for the job must be conducted – ultimately saving time, money, and potentially the company’s reputation in the long run.

Recommendation: Don’t set it and forget it. Periodic risk assessments and annual penetration testing are critical to successful security protocol.

Once a plan is in place and communicated to the organization, it will be key to test it on a semi-regular basis to identify vulnerabilities and implement the necessary controls. To guarantee results of periodic risk assessments and annual penetration tests are not skewed in any way they should be performed by an independent third party. This way they will only represent factual, actionable information and meet necessary requirements. It is also recommended to perform daily, weekly, and monthly penetration tests in-house, to ensure that no new vulnerabilities are introduced in recent updates. A strong update program also keeps on top of applying vendor patches – sooner rather than later – as they are normally fixing vendor-induced vulnerabilities that have the potential to lead to serious risks.

Recommendation: Time is of the essence. When a breach occurs, organizations must implement a security incident response plan and report occurrences to authorities within 72 hours.

If you look at the recent data breaches, a majority of them haven’t been carried out in quick, overnight attacks. In fact, oftentimes the hackers lay in wait within breached networks for months without being detected. As a result, organizations need to put controls in place to reduce the time from infection to detection; reducing it to minutes or seconds, instead of weeks or months. After all, the bottom line is clear –  the longer hackers remain resident, the more damage they will cause. Under the new regulations, financial institutions must have a written incident response plan that ensures the firm mitigates the effects of a cybersecurity event and reports any incident to the federal authorities within 72 hours of detection. No longer can companies sit on the information that they have been breached for months, as we saw with Equifax, Target, Yahoo, and so many others.

Recommendation: Implement the appropriate controls and have them verified and certified by compliance officials.

Without a proper certification process, organizations and senior executives can be held liable in the event of a breach. The certification process is critical to ensure an organization can prove the concepts of due diligence and due care are being completed in full. However, there is no defined baseline for compliance.  Because these concepts can be somewhat subjective, going above and beyond the concepts will help if an organization ever faces a class-action lawsuit due to the damages caused to the consumer as a result of a data breach. There is no harm and only upside to keeping ample records of the adequate controls and the ongoing actions taken to ensure full compliance and security. Like security measures as a whole, it’s best to practice preparedness at all times.

New York regulators have put a stake in the ground for financial institutions to protect their customers’ information, regardless of the hardship it may cause. Small organizations will need to get organized quickly and evaluate their security foundation – or face the consequences. Hopefully smaller financial institutions at risk of not meeting the protocols can heed the call and follow the above tips to significantly minimize the threat of ignoring these regulations.

 


Tags: Financial Reporting
Previous Post

TRACE: The Volkswagen Emissions Scandal

Next Post

10 Privacy Risks Every Company Should Prepare for in 2018

Stephen Gates

Stephen Gates

Stephen Gates Chief Research Intelligence Analyst, Zenedge,  has been instrumental in helping solve the DDoS and Web Application Security problems for service providers, hosting providers, and enterprises in North America and abroad for over a decade. He has more than 25 years of computer networking, information security, and product management experience. In his last role, Stephen served as the Chief Research Analyst for NSFOCUS before joining the ZENEDGE team. He is a recognized Subject Matter Expert on DDoS attack tools and methodologies, including next-generation cybersecurity solutions. You can usually find Stephen providing insight, editorial, industry thought leadership, and live presentations covering the latest security topics at RSA, Black Hat, SecureWorld, SANs, Infosecurity, IANS, ISSA, InfraGard, ISACA, etc.

Related Posts

Accounting For Non Accountants : Debit, Credits And Financial Statements

Accounting For Non Accountants : Debit, Credits And Financial Statements

by Aarti Maharaj
February 13, 2023

OVERVIEW This webinar will equip attendees with an understanding of financial ledger components within the organization’s accounting and reporting structure....

SEC building

Will Proposed SEC Cybersecurity Disclosure Rules Enhance Defenses or Hamper Responses? There’s Still Time to Assess and Comment.

by Jordan Rae Kelly
April 6, 2022

Proposed rules relating to incident reporting aim to improve cybersecurity in public companies, but FTI Consulting’s Jordan Rae Kelly suggests...

Graffiti depicting Enron and former chief Kenneth Lay

Enron’s Contribution to the Vitality of Corporate Compliance

by Michael W. Peregrine
December 2, 2021

Enron shares hit $90.75 on August 23, 2001. By December 2, they had corrected to $0.26 and the business had...

A man is seen talking in the window of the Australia Securities Exchange in Sydney.

ASIC’s Breach Reporting Update: A Perfect Storm of Confusing Ambiguities and Increased Reporting

by Ajay Katara
September 2, 2021

Announced in April, the Australian financial regulator's CP 340 goes into effect in October. ASIC's breach reporting update is going...

Next Post
business meeting with white board

10 Privacy Risks Every Company Should Prepare for in 2018

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT