The New York Department of Financial Services (DFS) made effective on March 1st, 2017 new cybersecurity regulations which will affect the banking, insurance, and financial services organizations it regulates. Whether you are based in New York or not, the impact can be far-reaching, given the global prominence of New York in the financial industry. Here are the top things you need to know:
What is it?
The risk-based regulation mandates that a detailed risk assessment be performed which will inform the design and maintenance of a cyber security program, cyber security policies, and the application of minimum standard controls. The regulated entities must submit an annual certification of their compliance.
When does the regulation start?
While the regulation is effective as of March 1, 2017, grace periods have been granted to give organizations time to comply. Certain elements of the regulation have longer grace periods than others, with the earliest deadline as soon as September 1, 2017.
What’s new and different?
- New York is pushing the envelope in cybersecurity regulation at the state level by mandating what New York Governor, Andrew Cuomo called, "first-in-the-nation protections."
- Responsibility for compliance is elevated to the Board and Senior Management because they must sign off on the annual certification of compliance. In addition, they’ll receive a report from the CISO on the material risks to the business at least once a year.
- It makes the risk assessment the focal point for the program, policy, and controls implementation, therefore encouraging a risk-based approach.
However, the New York DFS cautions that these are minimum standards and that compliance is just the beginning, saying that they don’t want to be, “overly prescriptive so that cybersecurity programs can match the relevant risks and keep pace with technological advances.”
Financial institutions in New York and beyond should take this as an opportunity to look beyond the minimum compliance requirements and consider what’s at the heart of the regulation – building risk-based organizations that are resilient in the face of cyber attack.
What does this require?
- Identification and measurement of the risks that are most important to business operations
- Cost-effective comparisons of risk remediation options
- Effective communication of the value of a cyber risk program and security to an audience of business executives who don’t speak tech
In fact, the US Federal Banking Regulators (Federal Reserve, OCC, FDIC) recognized FAIR as a known model for cyber risk quantification in its Advanced Notice of Proposed Rulemaking on Enhanced Cyber Risk Management Standards.