Posted on Jun 4, 2017
Since the last time we wrote about the DFS Cybersecurity Regulations, the final version of the regulations went into effect on March 1st, 2017.
It’s 90 days later, and financial companies are racing to fix their cybersecurity posture, with the first set of deadlines quickly approaching. It’s no surprise that NY DFS stepped with this aggressive regulation when you consider the uptick in breaches in the financial industry in the last two years and the fact in New York breaches were up 40 percent last year.
It’s halfway through the 180-day period to achieve compliance with the first deadlines. You’ve probably come up with a general plan or talked about compliance with a few stakeholders, but you’re still left with a few questions.
We’re guessing you are either relieved because this regulation does not affect your company, confused about whether it affects your organization, or panicked because you do not know where to begin. Here’s a high-level breakdown for those who are still wondering whether this regulation impacts you:
Covered Entities: Those already operating operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the banking, insurance or financial services law.
Exempt Entities: Those that:
Note, however, that even if you’re not technically a covered entity, adherence --or lack of adherence-- to these prescriptive regulations could still be used as an indicator for how mature your company’s cybersecurity program is. (This line of thinking is already circulating in the insurance industry, where a failure to comply might have ramifications for your insurance coverage.)
In short, covered entities are required to:
To see the full regulations click here.
The DFS structured a timeline that is tiered- this means not all of the requirements have to be fulfilled in the first 180 days. Take a look at the image below to get a better understanding of how the deadlines are structured.
This timeline allows you the time to prioritize your decisions about IT investments based on how large a gap you have to close and when the deadline is. A word of advice here: don’t fall victim to the email marketing campaigns rushing you to make a decision on a new solution and using DFS regulations as the hook. Instead, make your decisions about process changes or implementing new solutions based on the level of risk. (If you’re wondering how to visualize what risks are higher, take a look at our tips on creating a risk heat map.)
As an enterprise, you’ll need to stop viewing yourself as a fortress and start viewing yourself as a link in the supply chain.
Companies now have to think about themselves as a link in the supply chain, like a bulb burning out in a string of Christmas lights and making the rest of the line go dead--what happens to one organization now affects those connected to it.
Businesses have to start planning for how to recover from data breaches both as a primary party and a third party. This means a lot more communication about security hygiene between links in the supply chain (and the DFS), mandatory notification times when it comes to your partners, and including third party vendors in recovery plans.
You can bring on a third-party security vendor to help.
Life in the IT department of going to change is going to change quite a bit for the average NY financial institution, even more if you happen to be a small company who didn’t have to employ a CISO (only 59% have a CISO now) and may not have even employed a DLP product or multi-factor authentication.
Fortunately, the regulations recognize the relationships financial institutions have with outsourced security vendors and SaaS (around 70% of financial institutions report supplementing their own security using a mix of these) and allow for those vendors to deal with some of these security changes. This includes allowing for 3rd party CISOs, SOCs, and vetting/reporting to the security departments of partner organizations.
Creating and measuring progress against easy-to-understand security metrics for your company and its vendors is vital.
Whether you’re conducting a self-assessment or a third-party assessment, developing a clear set of metrics that allows you to easily evaluate progress and adjust your cybersecurity controls is important. The SecurityScorecard platform can help you by providing a board-friendly view of your third party risk management efforts (500.09) and your self-risk assessment (500.11). Additionally, the platform allows you to compare your risk profile against others in the financial industry, so you can see how your progress measures up to your competitors.
By shifting your focus from “checking the box” to making real improvements in your company’s cybersecurity posture, the DFS’s long list of requirements suddenly turns from a daunting task list to a helpful and detailed guideline. (Plus, this guideline is one that comes with the added bonus of being required by law- a factor that your board is certainly paying attention to.)
Check out our list of 3 top third party risk management (TPRM) challenges, and the actions you can take to bolster your program. Learn more.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.