Update: Significant new requirements kick in on March 1, 2018, including…
As with the previously implemented regulations, the New York Department of Financial Services doesn’t specifically tell its regulated companies how to meet the requirements, it just sets a high bar that can’t be met without applying a rigorous, consistent standard for assessing risk – like the FAIR model, the only international standard, quantitative model for cybersecurity risk.
Background on the regulations
The New York Department of Financial Services (DFS) made effective on March 1st, 2017 new cybersecurity regulations which will affect the banking, insurance, and financial services organizations it regulates.
Whether you are based in New York or not, the impact can be far-reaching, given the global prominence of New York in the financial industry. Here are the top things you need to know:
What is it?
The risk-based regulation document mandates that a detailed risk assessment be performed which will inform the design and maintenance of a cyber security program, cyber security policies, and the application of minimum standard controls. The regulated entities must submit an annual certification of their compliance.
When do the regulations go into effect?
While the regulations went into effect March 1, 2017, a set of rolling deadlines established grace periods for some of the requirements. The next deadline after March 1, 2018, falls on September 3, 2018, and covers audit trails, in-house developed applications, disposal of data, privileged insiders and data encryption. By March 1, 2019, covered companies are expected to be in full compliance.
What’s new and different?
However, the New York DFS cautions that these are minimum standards and that compliance is just the beginning, saying that they don’t want to be, “overly prescriptive so that cybersecurity programs can match the relevant risks and keep pace with technological advances.”
Financial institutions operating in New York and elsewhere should take this as an opportunity to look beyond the minimum compliance requirements and consider what’s at the heart of the regulation – building risk-based organizations that are resilient in the face of data breach or other cyber attack.
What does this require?
In fact, the US Federal Banking Regulators (Federal Reserve, OCC, FDIC) recognized FAIR as a known model for cyber risk quantification in its Advanced Notice of Proposed Rulemaking on Enhanced Cyber Risk Management Standards.