Update: Significant new requirements kick in on March 1, 2018, including...
- Annual report by the chief information security officer (CISO) to the board of directors covering the company’s cybersecurity risks and the effectiveness of its cybersecurity program.
- Periodic risk assessments based on clear criteria for evaluating cybersecurity risks and existing controls; also, a statement of the company’s requirements for mitigating or accepting risks based on the risk assessment.
As with the previously implemented regulations, the New York Department of Financial Services doesn’t specifically tell its regulated companies how to meet the requirements, it just sets a high bar that can’t be met without applying a rigorous, consistent standard for assessing risk – like the FAIR model, the only international standard, quantitative model for cybersecurity risk.
Background on the regulations
The New York Department of Financial Services (DFS) made effective on March 1st, 2017 new cybersecurity regulations which will affect the banking, insurance, and financial services organizations it regulates.
Whether you are based in New York or not, the impact can be far-reaching, given the global prominence of New York in the financial industry. Here are the top things you need to know:
What is it?
The risk-based regulation document mandates that a detailed risk assessment be performed which will inform the design and maintenance of a cyber security program, cyber security policies, and the application of minimum standard controls. The regulated entities must submit an annual certification of their compliance.
When do the regulations go into effect?
While the regulations went into effect March 1, 2017, a set of rolling deadlines established grace periods for some of the requirements. The next deadline after March 1, 2018, falls on September 3, 2018, and covers audit trails, in-house developed applications, disposal of data, privileged insiders and data encryption. By March 1, 2019, covered companies are expected to be in full compliance.
What’s new and different?
- New York is pushing the envelope in cybersecurity regulation at the state level by mandating what New York Governor, Andrew Cuomo called, "first-in-the-nation protections."
- Responsibility for compliance is elevated to the board of directors and senior management because they must sign off on the annual certification of compliance. In addition, they’ll receive a report from the CISO on the material risks to the business at least once a year.
- It makes the risk assessment the focal point for the program, policy, and controls implementation, therefore encouraging a risk-based approach.
However, the New York DFS cautions that these are minimum standards and that compliance is just the beginning, saying that they don’t want to be, “overly prescriptive so that cybersecurity programs can match the relevant risks and keep pace with technological advances.”
Financial institutions operating in New York and elsewhere should take this as an opportunity to look beyond the minimum compliance requirements and consider what’s at the heart of the regulation – building risk-based organizations that are resilient in the face of data breach or other cyber attack.
What does this require?
- Identification and measurement of the risks that are most important to business operations
- Cost-effective comparisons of risk remediation options
- Effective communication of the value of a cyber risk program and security to an audience of business executives who don’t speak tech
In fact, the US Federal Banking Regulators (Federal Reserve, OCC, FDIC) recognized FAIR as a known model for cyber risk quantification in its Advanced Notice of Proposed Rulemaking on Enhanced Cyber Risk Management Standards.