It has been almost a year since the New York State Department of Financial Services (NYDFS) Cybersecurity Regulation’s first transitional deadlines went into effect on August 28, 2017. The first of their kind in the United States, other states are looking to the regulations as a new standard.
The NYDFS issued the regulations to cover the financial services industry in New York (including companies not regulated by the NYDFS) due to the growing epidemic of cyber-related incidents. A study by IBM found that the financial industry is targeted 65% more often than any other industry. These incidents are becoming more and more frequent as the digital landscape envelops a greater share of the business world, increasing the number of access points into networks and information systems.
By exploiting vulnerabilities, cyber criminals steal personal and payment card information, as well as intellectual property quickly and efficiently. Due to the nature of the industry and the information shared, the financial sector has garnered increased attention from hackers and cyber criminals alike.
As of August 28, 2017, financial service companies under the jurisdiction of the NYDFS should have completed the following parts of the new regulation (23 NYCRR Part 500):
- Establish and maintain a cybersecurity program and written cybersecurity policy
- Designate a Chief Information Security Officer (“CISO”)
- Limit who has access to data or systems
- Use qualified cybersecurity personnel to manage cybersecurity risks
- Notify the NYDFS of a cybersecurity event within 72 hours, and
- Have a written incident response plan.
Six Months Since Reporting to Board and Training Requirements Were Due
Additional substantive requirements became effective on March 1, 2018. These include:
- The CISO reporting to the board, at least annually, on the entity’s cybersecurity program and material risks
- Including annual penetration testing and bi-annual vulnerability assessments as part of the cyber security program
- Conducting periodic risk assessments
- Implementing certain multi-factor authentication controls, and
- Providing cybersecurity awareness training for all personnel
While many sections of these regulations target the board and C-suites of an organization, it is important to recognize the effect they will have across the company as a whole. Some of these guidelines are intended to address internal threats, such as when an employee makes a simple mistake by clicking on a bad link or downloading a virus from a suspicious email. These “attacks” happen all too frequently, and with proper training and awareness, the devastating consequences can be avoided. Organizations of all sizes are targets of cybercrime, so it is of the utmost importance to inform your staff of the necessary precautions to protect your data and maintain business continuity and reputation.
Assessments a Key Starting Point for Compliance
As noted above, beginning March 1, 2018 each covered entity was required to conduct a periodic risk assessment, which enable you to identify cybersecurity risks specific to your business environment. By assessing the presence and implementation of security controls, you will reveal areas of vulnerability and effective coverage. An assessment should review controls across “people, process, and technology.” The CyberFortis-TSC approach to cyber risk assessment examines information security from the perspective of six Domains: Data Security, Physical Security, Internal Business Operations, External Business Operations, Mobile Security, and Insider Threat. These domains are divided into control families and control objectives. The resulting report provides Customer Risk Profile and Domain Maturity Level scores, detail about every control that is evaluated, as well as recommendations to address weaknesses.
With a roadmap such as this in hand, it is easier to make informed investments in other layered security solutions such as vulnerability management, penetration tests, and employee training. Many community banks and financial services firms have limited staff and financial resources. In these cases, it’s possible to improve security posture and respond quickly by outsourcing this capability through managed security services. CyberFortis-TSC employs certified experts and leading tools to scan for vulnerabilities and ensure robust patch management, as well as subject matter experts versed in financial compliance and cybersecurity strategy.
Next up: Are you ready for the September 3, 2018 implementation deadline?