Posted on Feb 9, 2017
In early September 2016, the New York State Department of Financial Services (DFS), under the direction of Governor Andrew Cuomo, announced that a “first-in-the-nation regulation has been proposed to protect New York State from the ever-growing threat of cyber attacks.”
As of this writing, the new update is subject to public comment for a shorter, 30-day window. The latest updates, among other things, pushed back the implementation, from Jan 1, 2017 to March 1, 2017, and increased the time organizations had to comply from 90 days to 180-days after the regulations take effect. The new regulations, known as Section 500 or 23 NYCRR 500, will apply to financial services companies licensed by New York, but not to nationally chartered institutions. However, as Bloomberg News noted, because this is the first regulator issuing cybersecurity guidelines, it may impact or provide a starting point for other state or even national regulators.
This potentially wide-reaching impact is why CISOs of all industries should be paying attention to these regulations, how they’re received, and what may result from them. In this article, we’ll go over the proposed regulations and subsequent changes that occurred the first review period and what CISOs should be focused on.
The DFS regulations were originally released in September and were updated later in December following a public comment period. The new regulations cover a wide swath of requirements covering 5 major areas, as listed in a shorter document summarizing the proposed cybersecurity requirements.
Establishment and adoption of a cybersecurity policy and program include cybersecurity processes such as penetration testing, access privilege reviews, among others, similar to other guidelines and standards pertaining to information security. These requirements focus on implementing a preventive and reactive policy that can quickly recover should a security incident occur.
Regarding what an organization should adopt in their cybersecurity program, the DFS has written short sections on the following:
Although these requirements are best practices for any information security department, the direct attention to CISOs and Third-Party Service Providers prompts further exploration.
The DFS Regulations state that all ‘Covered Entities’ (organizations subject to the regulation) must designate a CISO who must report, in writing, to the board the efficacy of the organization’s cybersecurity policy, material risks, and integrity of its systems annually.
Regarding Third-Parties, the regulations have an extensive section dedicated to having organizations “implement written policies and procedures designed to ensure the security of Information Systems and Nonpublic Information that are accessible to, or held by, Third-Party Service Providers.”
The DFS list of third-party security regulations focus on identifying and assessing the risk of third-parties (something we covered here), requiring them to meet minimum cybersecurity practices, engaging in third-party due diligence and periodic assessment, and “continued adequacy” of cybersecurity practices, among others.
These additions were based on a report on third-party service providers in the banking sector that the NY DFS published in April 2015, updating a previous May 2014 report. In it, the DFS found that 95% of the surveyed banking organizations conduct specific information security risk assessments with high-risk vendors and that 90% have information security requirements for third-parties.
However, once we get into more mature third-party risk management processes, not every organization adheres to best practices. Of the banking organizations surveyed, 21% do not require third-parties to represent that they have established minimum information security requirements and only 36% have information security requirements that extend to third-party subcontractors (also known as fourth-parties).
Regarding the protection of sensitive data, 90% of organizations encrypt data transmitted to or from third-parties but only 38% use encryption for data at rest, which is often the data at risk as it is targeted by attackers who are looking to access sensitive information within an organization’s network.
This third-party report provides insight into the DFS’ perspective on third-party risk management and future updates can serve as an indication for how the DFS may shift and add regulatory requirements to their third-party risk management section of the regulation proposal.
These regulations will be followed by a number of other regulatory and industry standard organizations as an example of cybersecurity best practices that other financial institutions and organizations may have to follow. CISOs in financial institutions who are directly impacted by the new DFS regulations should take the necessary steps to reach compliance and can submit their first annual certification to the DFS by February 15, 2018.
We recommend all CISOs do the following:
The next, and final, version of the DFS regulations is slated to come out after the end of the review period, which ended in mid-January and will be implemented on March 1st. CISOs should pay attention to the changes from the most recent version, which will reflect the comments and feedback made by other financial organizations. This is directly related to our next point.
One of the revisions made between the DFS regulations is how often CISOs were required to report to the board of directors. Initially, the cadence required that a CISO reported to their board twice a year. The most recent update has shifted from a biannual reporting requirement to an annual reporting requirement an organization’s best move is to engage in continuous risk monitoring in order to be able to report to the board as needed regardless of the required reporting cadence which may change over time.
The biggest takeaway from the DFS regulations is the attention on third-party risk management. As breaches are increasingly attributed to third parties or subcontractors, the importance of third-party risk management from an information security standpoint has been rightly highlighted by a number of regulatory and guiding standards. CISOs must prepare for the likelihood that future updates or other regulations based off the DFS will have the same requirements regarding third-parties, if not more.
CISOs should be proactive and follow many of these guidelines and requirements, even if they’re not subject to them. The financial industry is the most regulated from a cybersecurity standpoint because they have the highest likelihood of being targeted by hackers. By modeling your information security system on the DFS guidelines, you’re ensuring that your level of security is ahead of your industry. Then, if updates to existing regulations are published that are based on the DFS regulations, your organization is already prepared and compliant.
The financial and security industries are looking at the new DFS regulations with a close eye. The next update will set in place how major institutions will be regulated and how organizations react and adhere to these regulations will set a tone for future updates and related regulatory actions. Like with information security as a whole, CISOs should practice proactivity in regards to these regulations, not only for compliance’s sake but for security’s sake.
Check out our list of 3 top third party risk management (TPRM) challenges, and the actions you can take to bolster your program. Learn more.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
Co-founder and CEO, Alex Yampolskiy, speaks about the importance of measuring and acting on key indicators of cybersecurity risk.
You’ve invested in cybersecurity, but are you tracking your efforts? Check out our list of 20 cybersecurity KPIs you should track. Read more.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.