The state of New York’s Department of Financial Services (DFS) issued the first state-level regulations on cybersecurity for financial institutions with its Cybersecurity Requirements for Financial Services Companies release, which became effective March 1, 2017. The  Press Release, issued contemporaneously with the regulations, state they were designed to protect “financial services industry and consumers from the ever-growing threat of cyber-attacks”, further, “The final regulation requires banks, insurance companies, and other financial services institutions regulated by the Department of Financial Services to establish and maintain a cybersecurity program designed to protect consumers’ private data and ensure the safety and soundness of New York’s financial services industry.”

The regulation includes certain regulatory minimum standards while encouraging firms to keep pace with technological advances. Companies have a sliding scale of time to fully comply with the new regulation, from as little as 18 months to up to two years for some requirements. The new regulation provides important protections to prevent and avoid cyber breaches, including:

  • Controls relating to the governance framework for a robust cybersecurity program including requirements for a program that is adequately funded and staffed, overseen by qualified management, and reported on periodically to the most senior governing body of the organization;
  • Risk-based minimum standards for technology systems including access controls, data protection including encryption, and penetration testing;
  • Required minimum standards to help address any cyber breaches including an incident response plan, preservation of data to respond to such breaches, and notice to DFS of material events; and
  • Accountability by requiring identification and documentation of material deficiencies, remediation plans and annual certifications of regulatory compliance to DFS.

While the regulation is obviously geared towards financial services firms, there were several points that any non-financial services compliance practitioner should consider. The overall cybersecurity program should be designed to meet four goals: “(a) detect Cybersecurity Events; (b) respond to identified or detected Cybersecurity Events to mitigate any negative effects; (c) recover from Cybersecurity Events and restore normal operations and services; and (d) fulfill applicable regulatory reporting obligations.”

There should be a written policy, approved by the entity’s Board of Directors, for cybersecurity. It must be based on a risk assessment, taking the following factors into consideration: “(a) information security; (b) data governance and classification; (c) asset inventory and device management; (d) access controls and identity management; (e) business continuity and disaster recovery planning and resources; (f) systems operations and availability concerns; (g) systems and network security; (h) systems and network monitoring; (i) systems and application development and quality assurance; (j) physical security and environmental controls; (k) customer data privacy; (l) vendor and Third Party Service Provider management; (m) risk assessment; and (n) incident response.”

The regulation requires the creation of a Chief Information Security Officer (CISO) position, who reports to the Board of Directors. There must be corresponding Board level reporting outlet for the CISO. Interestingly, the CISO is required to report, in writing, no less than annually to the Board on the following topics: (1) the confidentiality and the integrity and security of the information systems; (2) the cybersecurity policies and procedures; (3) material cybersecurity risks; (4) overall effectiveness of the cybersecurity program; and (5) any material cybersecurity events. The CISO and the cyber compliance team must all show proficiency in the discipline and keep abreast of cybersecurity developments.

For ongoing monitoring, there must be annual penetration testing and biennial vulnerability assessments. Finally, there must be annual risk assessments designed to test: (1) identified cybersecurity risks or threats; (2) criteria for the assessment of the confidentiality, integrity, security, availability and adequacy of existing controls in the context of identified risks; and (3) requirements describing how identified risks will be mitigated or accepted based on the risk assessment and how the cybersecurity program will address the risks.

If the financial services company allows a third-party service provider to have access to or hold its data, it must perform an evaluation of that third-party in the following areas: (1) identification and risk assessment of the third-party; (2) minimum cybersecurity practices required to be met by third-party in order for them to do business; (3) due diligence processes used to evaluate the adequacy of cybersecurity practices of third-party; and (4) periodic assessment of third-party based on the risk they present and the continued adequacy of their cybersecurity practices. There is also a training and ongoing monitoring requirement for company employees.

All of the above should sound quite familiar to any anti-corruption compliance professional. Yet this DFS regulation should also be studied as a roadmap for the inevitable cybersecurity and InfoSec compliance which is just down the road for non-financial services industries. The third-party providers are particularly critical as many major data breaches occurred through connected third parties. One need only think of the Target data breach to the looting of the Central Bank of Bangladesh through the New York Federal Reserve Bank.

This risk should be addressed through the following process. Start with determining the segment involved by questioning business units about type and criticality of third-party services. Then triage due diligence based on risk tiers. Next determine the scope by assigning relevant controls based on the data and systems touched by each vendor and calculate the inherent risk of each relationship. From there collect and gather vendor questionnaire responses and supporting documentation as well as vendor system security intelligence as evidence for the assessment of control effectiveness. Following this assess where you are through review of collected information to confirm the required controls are in place and evaluate the design and operational effectiveness of each control. Remediate by making the needed changes, track your progress and report on the residual risk and remediation to support stakeholders responsible for risk acceptance. On an ongoing basis monitor controls, risk factors and Service Level Agreements (SLAs) and alert when remediation, re-segmentation or assessment refreshes are needed.

InfoSec and cybersecurity issues are becoming more paramount and a higher level of risk for every corporation. If you hold information and data your company is at risk. The financial and reputational cost can be huge. Now a breach could be a regulatory cost. It would be better if you got ahead of this issue rather than chasing from behind to catch up after a breech.

 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2017

Who was Jeannette Rankin and why do we celebrate her today in the context of ethics and compliance? She was the first female to be elected to Congress, as a Representative from Montana in the 1916 elections. In 1917 she was one of 50 votes opposing America’s entrance into World War I. She had the courage to vote with the conviction of her conscience. Her reason for opposing entry into the War, how could Congress support a war to “make the world safe for democracy” yet still refuse “the small measure of democracy to the women of our country” by denying them the right to vote? Vilified after this vote, she was not returned to Congress in the next election.

History is filled with ironies and in one of the most ironic twists that could be imagined, Jeannette Rankin was returned to Congress from Montana in 1940. In 1941 she was the sole vote, of 389, against America entering World War II against Japan, declaring “As a woman, I can’t go to war and I refuse to send anyone else.” As noted in the November 2011 issue of the ABA Journal, “She told her constituents, that she’d voted her convictions.”

I thought about Jeannette Rankin’s story as I was reading an article in the November issue of the Harvard Business Review (HBR), entitled “Why Don’t We Try To Be India’s Most Respected Company?” which was an interview by HBR’s Anand Raman with N. R. Narayana Murthy who was a founder of the Indian company Infosys and its most recent Chairman of the Board. I often write about “Tone at the Top”, noting that not only does the US Department of Justice (DOJ) mandate it as one of the requirements for a best practices compliance program, but in reality it is the only way to set the tone for a corporation’s ethics and compliance program.

Murthy said that he was one of the original founders of Infosys and his vision of the company included the question “Why don’t we aim to be India’s most respected company?” To obtain the respect of governments, this meant to “never violate any laws”. To help to achieve this goal, the founders agreed to create a “values-based organization.” Murthy said that he believed that business would come if the company was respected.

He said that while it took some time for this ethical corporate reputation to take hold, eventually it did. One of the results was that corrupt government officials stopped asking the company for ‘favors’. This ethical reputation also led to the generation of greater and greater business because “our clients entrusted us with increasingly bigger projects.” He said that “you have to learn to stand by your principles; it’s wrong to believe that you have to bribe your way to success.”

Murthy said that Infosys managers are expected to lead by example, explaining that “Leaders have to be careful not to create dissonance between what they say and do.” One example he discussed was the consistency of discipline. He cited the examples of board members, who paid “heavy fines for what could be considered minor infractions.” Murthy believes that “Setting an example at the top is the best way to instill confidence throughout the company.”

So what do Jeannette Rankin’s two votes against America entering two World Wars have to do with Murthy’s interview? They both laid down their beliefs in the most transparent manner possible. I wondered what would be the effect if a US company Chief Executive Officer gave such an interview. Even if his or her company was a values-based organization, would they have the courage of their conviction to speak about it in such an open manner? (We will leave aside the question of whether the Law Department would allow them to do so.) Nevertheless imagine the effect it would have on employees and the commitment to doing business in an ethical manner if they did so.

————————————————————————————————–

This Week in FCPA, Episode 22 is up. Howard Sklar and I debate of the use of DPAs in the UK;  Freeport-McMoRan, United Steelworkers, and paying for police protection; Embraer; Tognum resignation; Dadeleh; Allianz;  plus a Breakout on Training.

———————————————————————————————–This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011