90 Days Since New York’s DFS Regulations: Where Are We Now?
New York Department of Financial Services (DFS) issued proposed regulations on September 13, 2016 – applies to any entity that (1) obtains an individual’s financial information in connection with a financial transaction or product, personal health information, or information sufficient to identify the individual (collectively, “NPI”); and (2) operates under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the banking law, the insurance law or financial services law. Covered Entities include banks, credit unions, money transmitters, insurance companies, trust companies, domestic branches of foreign banks and mortgage lenders.
The cybersecurity regulations issued earlier this year by the State of New York’s Department of Financial Services (NY DFS) are a significant step toward a Sarbanes-Oxley style mandate for cyber-related risk. We observed in 2015 that such moves were inevitable given the ever-growing threats to our economy and infrastructure cyberterrorism and cybercrime pose, achieving a status on-par with financial risk.
What makes this step by New York noteworthy is the national and worldwide impact it has had already and will have moving forward. Virtually all financial institutions conduct a significant amount of business in New York, making it likely that thousands of financial services companies are working toward compliance. The combined reach of these institutions is immense, as one provision in the regulations requires them to assess the cyber risk of their vendors, affecting thousands more companies both inside and outside the financial services industry.
The Cyber Security Framework (CSF) developed and published by NIST in 2014 has become a de facto standard for evaluating cyber risk, something never intended or wanted by the authors. Most cybersecurity guidelines and regulations, including those promulgated by NY DFS, align closely with CSF, drawing heavily upon its insights and guidance provided by the indusry’s leading thought leaders and experts three years ago. In evaluating the NY DFS directive vis-à-vis CSF, we found that all aspects of the new mandate are covered by NIST’s Framework, except for the DFS’s requirement of having a chief information security officer (CISO).
- Policies and procedures
- Appointment of a CISO
- Access control on a need to know basis
- Audit trail (logs) and document retention for 6 years
- Risk assessment of third party vendors
- Personnel capable of managing cybersecurity program; risk awareness training for employees
- Incident response plan
- 72 hour notification of cyber incidents
- Exempts small companies (<1000 employees and/or <$5M annual revenue and/or <$10M in assets
“Spending millions on security technology can certainly make an executive feel safe. But the major sources of cyber threats aren’t technological. They’re found in the human brain, in the form of curiosity, ignorance, apathy, and hubris.”
“The Best Cybersecurity Investment You Can Make is Better Training”
Dante Disparte and Chris Furlow, HBR, May 16, 2017
How will cybersecurity initiatives for the financial services industry evolve? Four trends suggest steps for astute leaders who want to stay ahead. Here are our suggestions:
TREND: Other states are preparing to follow with their own regulations. Oversight and regulation of financial services is highly distributed in the U.S. Members of the insurance industry should expect other states, especially large states like California and Texas, to react to the NY DFS move by passing new laws. Fortunately, state overseers have already been active in developing uniform guidance on new legislation being considered. [link]
Suggestion: Closely monitor proposed legislation, regulatory actions, and high profile incidents on a weekly basis.
TREND: Cyber awareness training for all employees, including boards and executives, is on the brink of rapid expansion. The recent rise in awareness among corporate board members of the enterprise risk posed by cyber incidents has begun motivating them to seek out more knowledge and understand the context. Since the passing of the Sarbanes-Oxley Act, the level of financial acumen among directors has risen significantly. We can expect the same impact with cybersecurity as organizations like Ridge Global and NACD (and others) begin offering training for boards.
Suggestion: Engage your board in raising their cyber awareness and that of all employees through regular training programs. Researching the available programs in light of your organization’s unique needs is the first step.
TREND: The heavy overlap of NY DFS and CSF will cause organizations to combine their efforts to comply with them both. NIST’s CSF is the “gold standard” pointed to by experts when asked how organizations should gauge their level of cyber maturity. Many organizations have discovered that their parallel efforts to implement CSF and meet the NY DFS regulations are based on a common set of controls and steps, and that combining both efforts can save time and money.
Suggestion: Encourage staff to rationalize efforts on projects related to cyber compliance to avoid redundant activities and decrease the overall energy required.
TREND: Implementing both the NY mandate and NIST CSF will accelerate demand for automation. From its passage in 2002 until the present, the Sarbanes-Oxley Act has fueled the growth of a supporting GRC software and services industry, estimated by Markets and Markets to reach $38 billion in revenue by 2021. The need to help ongoing compliance efforts will drive development of new software solutions that simplify the assessment and monitoring of growth toward cyber resilience and a decrease in cyber risk.
Suggestion: Investigate and track emerging software solutions and advanced service offerings that support NIST’s CSF and the implementation of the NY DFS regulations, such as Cybernance.
Leading financial organizations are scrambling to meet these new NY DFS obligations, and more directives from industry associations, federal agencies, and state and local governments will only add fuel to the fire. The NY DFS move was a bold one, and its ripple effects will be felt for years as the pioneering policy leading the way to better cybersecurity.