The state of New York’s Department of Financial Services (DFS) issued the first state-level regulations on cybersecurity for financial institutions with its Cybersecurity Requirements for Financial Services Companies release, which became effective March 1, 2017. The Press Release, issued contemporaneously with the regulations, state they were designed to protect “financial services industry and consumers from the ever-growing threat of cyber-attacks”, further, “The final regulation requires banks, insurance companies, and other financial services institutions regulated by the Department of Financial Services to establish and maintain a cybersecurity program designed to protect consumers’ private data and ensure the safety and soundness of New York’s financial services industry.”
The regulation includes certain regulatory minimum standards while encouraging firms to keep pace with technological advances. Companies have a sliding scale of time to fully comply with the new regulation, from as little as 18 months to up to two years for some requirements. The new regulation provides important protections to prevent and avoid cyber breaches, including:
- Controls relating to the governance framework for a robust cybersecurity program including requirements for a program that is adequately funded and staffed, overseen by qualified management, and reported on periodically to the most senior governing body of the organization;
- Risk-based minimum standards for technology systems including access controls, data protection including encryption, and penetration testing;
- Required minimum standards to help address any cyber breaches including an incident response plan, preservation of data to respond to such breaches, and notice to DFS of material events; and
- Accountability by requiring identification and documentation of material deficiencies, remediation plans and annual certifications of regulatory compliance to DFS.
While the regulation is obviously geared towards financial services firms, there were several points that any non-financial services compliance practitioner should consider. The overall cybersecurity program should be designed to meet four goals: “(a) detect Cybersecurity Events; (b) respond to identified or detected Cybersecurity Events to mitigate any negative effects; (c) recover from Cybersecurity Events and restore normal operations and services; and (d) fulfill applicable regulatory reporting obligations.”
There should be a written policy, approved by the entity’s Board of Directors, for cybersecurity. It must be based on a risk assessment, taking the following factors into consideration: “(a) information security; (b) data governance and classification; (c) asset inventory and device management; (d) access controls and identity management; (e) business continuity and disaster recovery planning and resources; (f) systems operations and availability concerns; (g) systems and network security; (h) systems and network monitoring; (i) systems and application development and quality assurance; (j) physical security and environmental controls; (k) customer data privacy; (l) vendor and Third Party Service Provider management; (m) risk assessment; and (n) incident response.”
The regulation requires the creation of a Chief Information Security Officer (CISO) position, who reports to the Board of Directors. There must be corresponding Board level reporting outlet for the CISO. Interestingly, the CISO is required to report, in writing, no less than annually to the Board on the following topics: (1) the confidentiality and the integrity and security of the information systems; (2) the cybersecurity policies and procedures; (3) material cybersecurity risks; (4) overall effectiveness of the cybersecurity program; and (5) any material cybersecurity events. The CISO and the cyber compliance team must all show proficiency in the discipline and keep abreast of cybersecurity developments.
For ongoing monitoring, there must be annual penetration testing and biennial vulnerability assessments. Finally, there must be annual risk assessments designed to test: (1) identified cybersecurity risks or threats; (2) criteria for the assessment of the confidentiality, integrity, security, availability and adequacy of existing controls in the context of identified risks; and (3) requirements describing how identified risks will be mitigated or accepted based on the risk assessment and how the cybersecurity program will address the risks.
If the financial services company allows a third-party service provider to have access to or hold its data, it must perform an evaluation of that third-party in the following areas: (1) identification and risk assessment of the third-party; (2) minimum cybersecurity practices required to be met by third-party in order for them to do business; (3) due diligence processes used to evaluate the adequacy of cybersecurity practices of third-party; and (4) periodic assessment of third-party based on the risk they present and the continued adequacy of their cybersecurity practices. There is also a training and ongoing monitoring requirement for company employees.
All of the above should sound quite familiar to any anti-corruption compliance professional. Yet this DFS regulation should also be studied as a roadmap for the inevitable cybersecurity and InfoSec compliance which is just down the road for non-financial services industries. The third-party providers are particularly critical as many major data breaches occurred through connected third parties. One need only think of the Target data breach to the looting of the Central Bank of Bangladesh through the New York Federal Reserve Bank.
This risk should be addressed through the following process. Start with determining the segment involved by questioning business units about type and criticality of third-party services. Then triage due diligence based on risk tiers. Next determine the scope by assigning relevant controls based on the data and systems touched by each vendor and calculate the inherent risk of each relationship. From there collect and gather vendor questionnaire responses and supporting documentation as well as vendor system security intelligence as evidence for the assessment of control effectiveness. Following this assess where you are through review of collected information to confirm the required controls are in place and evaluate the design and operational effectiveness of each control. Remediate by making the needed changes, track your progress and report on the residual risk and remediation to support stakeholders responsible for risk acceptance. On an ongoing basis monitor controls, risk factors and Service Level Agreements (SLAs) and alert when remediation, re-segmentation or assessment refreshes are needed.
InfoSec and cybersecurity issues are becoming more paramount and a higher level of risk for every corporation. If you hold information and data your company is at risk. The financial and reputational cost can be huge. Now a breach could be a regulatory cost. It would be better if you got ahead of this issue rather than chasing from behind to catch up after a breech.
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at firstname.lastname@example.org.
© Thomas R. Fox, 2017