Posted April 6, 2017
By Emilio Iasiello, LookingGlass CTIG
Data breaches are a seemingly weekly occurrence at companies across all industries and of all sizes. Recently, the New York Department of Financial Services (DFS) put into effect new regulations for cyber security in banking and insurance to stay ahead of and combat these threats.
The regulations require companies to establish security controls that would ensure a more proactive cyber security apparatus. Companies must re-evaluate and upgrade their security systems annually, and boards of insurance companies or banks are required to certify that the companies are in compliance by February 15, 2018.
While these regulations specifically relate to banking and insurance, organizations from all industries should take note, as they may very well serve as a model for them in the future. This is especially true as the report highlights evaluating cyber risk – both internally and from third party suppliers and vendors – a current hot topic within the cyber community.
Some key points from the NYDFS regulations include:
- Risk Assessments. The DFS will now allow the programs to be based on the individual entity’s risk assessment — a critical change to the original proposal that was viewed as inflexible and essentially advocating for a “one size fits all” approach. The risk assessment is the key piece to the regulations as it compels organizations to identify and locate key information and information technology assets. It also permits them to design, develop, and implement an assessment unique to the organization, rather than be compelled to adopt one already in use but that may not be as useful to their needs. The risk assessment must allow for “revision of controls” due to technological changes and the evolutionary nature of the cyber threat landscape. Per the regulations, the risk assessment must include criteria for evaluating cyber security risks and the integrity of information systems and non-public information, as well as having steps to mitigate risks. Organizations have a year-and-a-half to comply with the requirements.
- Third Party Risk Management. Organizations are now required to address third parties that provide them goods and services, requiring them to meet minimum cybersecurity practices, engaging in third-party due diligence and periodic assessment, and “continued adequacy” of cybersecurity practices, among others. The successful exploitation of third parties has been the entry point to several large breaches, most notably Target in 2013. Concern over this threat to the financial sector can be seen in 2013 Department of Treasury’s Office of the Comptroller of the Currency when it issued guidance on third party relationships to all national banks, federal savings associations, and technology service providers. In 2014, even the Federal Deposit Insurance Corporation issued similar guidelines regarding third party risk in its Compliance Manual. Even the DFS issued similar recommendations in its 2015 report on third party service providers and the banking sector.
- Bring in the C-Suite. The new regulations identify an organization’s senior management as being responsible for the cyber security program. The requirement that a board of directors or senior officer certify a firm’s compliance with the regulations each year indicates that DFS will be scrutinizing firms for compliance from the C-suite down. This is an important development as cyber security is no longer viewed as an IT function but now directly links it to decision makers.
The regulations set tight deadlines for compliance. Some notable dates include:
- August 28, 2017: The following requirements must be in place: 1) a cybersecurity program; 2) cybersecurity policies; 3) a Chief Information Security Officer; and 4) an Incident Response Plan.
- February 15, 2018: The filing of annual certification of compliance.
- March 1, 2018: Periodic vulnerability assessments and risk assessments for the cybersecurity program, multifactor authentication, and a cybersecurity training program, must be in place.
- September 1, 2018: The implementation of data retention, auditing system, encrypted nonpublic information, and established a monitoring program.
- March 1, 2019: The implementation of a third party service provider security policy.
While there is a generally favorable response to the regulations, there are those critics that still believe more could be done. Their arguments cite the “cadence” of cyber risk certification, believing that an annual security check-up does address the current cyber threat environment, intimating that more frequent audits and checks would be better suited for the speed with which cyber attacks are conducted. Additionally, these critics raise the question of certifying the security of other information systems that don’t necessarily fall under the umbrella of the cyber security program, arguing that all systems need to be checked. It remains uncertain how aggressively DFS will enforce the various certification provisions.
Regardless of these doubts, getting cyber security plans to include putting an incident response plan in place and holding organizations accountable for breaches are two important steps to establish and maintain resiliency and manage risk. In a time when compromising networks are becoming common place, it is imperative for all organizations regardless of size to engage in a robust cyber security approach to protecting data, identifying and responding to malicious activity, and reducing the time from breach to continuing business operations.