August 28 is the first of the rolling deadlines to comply with the New York Department of Financial Services (DFS) new and far-reaching cybersecurity regulations for companies licensed under the state’s banking, insurance and financial services laws.
As of that date, licensed companies must be able to show regulators that they are implementing a comprehensive cybersecurity program, based on a risk assessment.
It’s up to each company “to assess its specific risk profile and design a program that addresses its risks in a robust fashion”. But the must-do list in the New York cybersecurity regulations (23 NYCRR Part 500) gets pretty specific.
By 8/28, for instance, companies must:
- Appoint a “qualified individual” as a Chief Information Security Officer (CISO), along with qualified cybersecurity personnel.
- Write a cybersecurity program and policies that get into specifics on data governance, access controls and more.
- Maintain data backup systems and other precautions against data loss.
- Control access privileges by insiders to non-public information
Also, new reporting requirements mandate notifying the DFS within 72 hours about a “cybersecurity event” that has “a reasonable likelihood of materially harming” operations. The DFS also requests reporting of unsuccessful cyber attacks if the company considers them “serious”.
The next milestone to meet requirements comes March 1, 2018, when companies must start:
- Performing periodic risk assessments with documentation on categorizing risks, risk acceptance or mitigation and criteria for controls. Risk assessments also need to cover third-party services.
- CISO reporting to the corporate board of directors at least annually on cybersecurity metrics.
- Performing annual penetration testing and other monitoring
The whole “transition period” of deadlines wraps up on March 1, 2019, two years after the regulations became effective.
The New York cybersecurity code doesn’t mention penalties for non-compliance but the DFS makes it very clear it will hold the C-suite and above to account:
“Senior management must take this issue seriously and be responsible for the organization’s cybersecurity program and file an annual certification confirming compliance with these regulations.”
In fact, the US Federal Banking Regulators (Federal Reserve, OCC, FDIC) recognized FAIR as an established model for cyber risk quantification in its Advanced Notice of Proposed Rulemaking on Enhanced Cyber Risk Management Standards.