New York DFS is working with SecurityScorecard to further support the department’s first-in-the-nation cybersecurity efforts to modernize its supervision process.
The New York Department of Financial Services (DFS) is now working with SecurityScorecard to modernize its approach toward regulatory oversight. As described on DFS’s website and discussed during its March 29 Cybersecurity Symposium, (1:21:00 mark), DFS is using SecurityScorecard’s cybersecurity ratings and analysis (based on publicly-available data and open-source information) to assess the strength of the cybersecurity programs of DFS’s nearly 3,000 regulated entities.
During the first-ever DFS Cybersecurity Symposium on March 29, DFS’ Assistant Deputy Superintendent William Peterson presented on “Modernizing Cybersecurity Supervision.” Mr. Peterson’s presentation outlined new efforts by DFS to revamp its supervision process to address today’s modern cybersecurity challenges and better evaluate how companies prepare for and respond to attacks.
New Tools for Today’s Modern Cybersecurity Examinations and Investigations
Specifically, Peterson identified several new tools. First, DFS uses third-party tools such as SecurityScorecard, not to replace DFS examinations, but to provide DFS with a more informative starting point, as well as create a more collaborative environment with covered entities. Security ratings are useful in settings like DFS’ evaluations, Peterson explained, because they measure a large pool of data and enable an outside-in viewpoint to complement an inside-out viewpoint that DFS plans to collect via a questionnaire process called the Cybersecurity and Information Technology Baseline Risk Questionnaire (CIBRQ).
He also stated that ratings help organizations remove blind spots, monitor and prioritize vulnerabilities, and better understand third-party supply chain risks. Peterson identified the following eight of SecurityScorecard’s scoring factors as part of DFS’ evaluations:
Second, DFS regulated entities will be required to periodically complete the new CIBRQ questionnaire tool. According to Peterson, the inside information yielded in this process is aligned with SecurityScorecard’s outside-in, dynamic security rating for an organization.
“By combining the traditional exam data and incorporating the cyber risk tools such as the Cybersecurity Questionnaire (CIBRQ) and SecurityScorecard, we’ll have a more robust and current understanding of a regulated company’s cybersecurity posture,” Peterson said in his remarks. “This will enable us, as regulators, to make better informed supervisory and policy-making decisions.”
DFS expects to begin using the CIBRQ in 2023, and will use it to guide supervision activities and identify risks and trends across a sector. Examiners will use CIBRQ to assess 11 unique aspects of cybersecurity based on the NIST cybersecurity framework.
All organizations are encouraged to receive their free SecurityScorecard rating by visiting Instant SecurityScorecard, which is also a CISA free tool (specifically a tool listed under its “Reducing the Likelihood of a Damaging Cyber Incident”). And to find out more about how DFS and SecurityScorecard work together, watch a recent on-demand webinar or review our earlier blog recap.