New Cybersecurity Regulation Impacts New York Financial Firms

May Become a Model for Other States to Follow

The New York Department of Financial Services (DFS) introduced a new cybersecurity regulation for financial services companies that took effect on March 1, 2017.

The regulation carries a heavy compliance burden that is intended to protect clients, consumers, and financial entities from the ever-growing threat of cyberattacks. Institutions subject to the new requirements include state-chartered banks, hedge funds, foreign banks licensed to operate in New York, as well as insurers doing business in the state.

The new regulation, which had multiple rounds of revisions and extensive input from financial industry groups, has been in development for two. The law was delayed for two months as requirements loosened after financial firms requested more time to comply and described the requirements as too onerous.

Meeting compliance will be a challenge for some, even though financial services companies have expected the new cybersecurity regulations for some time. The new law requires:

• Designating a Chief Information Security Officer (CISO)
• Creating an intensive response plan for security breaches
• Conducting annual self-evaluations of their cybersecurity vulnerabilities and develop corresponding updated security plans
• Requiring that employees go through cybersecurity training
• Reporting cybersecurity events to the state within 72 hours of discovery

In addition to the above requirements, there is a strong focus on securing data – including the expanded use of encryption, access controls for systems and data, automated audit trails, retention, and timely destruction of data. Simply put, the new regulation represents a “heavy lift” for institutions to comply, especially for smaller firms that don’t possess the internal resources and expertise to address the full breadth of the requirements.

The other challenge for many will be identifying, or designating, a C-level executive for the role of Chief Information Security Officer (CISO). It is well documented that not enough skilled, true security professionals are available to meet the demands of the market today. This new regulation will likely exacerbate the security “skills gap” and elevate less experienced resources to fill key security leadership positions.

To help with this, and other security regulations, companies have increasingly turned to security-focused consulting firms to assist with the adoption and implementation of the security operations, procedures, and architecture needed to address their compliance initiatives. Aspire offers deep expertise in a variety of assessment services to identify gaps, prioritize remediation, and develop a “security roadmap” intended to manage risk, enable digital business initiatives, and meet regulatory and compliance requirements. In addition, Aspire provides a CISO-as-a-Service program, which allows clients to tap into the knowledge and experience of senior security practitioners, for a fraction of the cost of hiring one full time.

Complying with the new regulation will require businesses to complete an annual review of internal practices, perform a comprehensive risk assessment, and address areas that fail to meet the requirements. Yearly certification will need to occur by February 15 – meaning senior management stating its cybersecurity program complies with the regulation’s requirements. Again, the question becomes whether the institution takes on the effort internally or leverages the services of an outside partner.

Today, only firms licensed by the New York DFS are subject to the new requirements.  Experts predict that the new regulation will quickly spread to other states. As we’ve seen with California’s privacy law regulating personal information, the introduction of new security standards can help shape similar legislation in other states and across industries.

Our advice to clients is simple. Whether you’re regulated or not, you need to manage risk to acceptable levels. And, by the way, just because you’re in compliance with required regulations doesn’t necessarily mean you’re secure.

• Adopt a cybersecurity framework as the basis of your security program.
• Measure where your firm falls on the maturity scale.
• Identify areas of concern and bring awareness to the business.

Executive management will want to have a say in determining acceptable levels of risk. Seek assistance from a strong security partner to fill any gaps in skillsets or operations needed to meet your security goals.