It’s time. The 180-day transitional period to comply with the New York State Department of Financial Services (NYS DFS) cyber security regulation is over. Financial services organizations that are regulated by the NYS DFS now must comply with a new set of requirements. What’s mandatory? A full list can be found here. For highlights, I chatted with our Bay Dynamics’ VP of Strategy Steven Grossman.
Abby: Thanks for taking the time to chat today, Steven. Between the President’s Cybersecurity Executive Order, the NIST framework and others, we have seen quite a bit of regulation and updated guidance come out in the past year. What is the purpose of the NYS DFS cyber regulation?
Steven: The NYS DFS cyber regulation is certainly one of the forerunners of a state-specific, industry-specific regulation. It spells out what financial services organizations within NYS need to do to protect their customers, shareholders and overall operations. It also helps improve the cyber security of the financial system at large. As we have seen from past breaches, banks are interconnected. When one bank has a cyber issue, they all face a cyber issue.
Abby: What makes this regulation unique compared to others?
Steven: I think there are two components that make the requirements unique. First, the regulation puts a strong emphasis on a risk based approach to security. One of the key requirements is that organizations must perform risk assessments and build their cyber security programs based on the results of those assessments. The regulation does not prescribe equal treatment for all assets. If a store is locking up its snacks with the same security measures as its jewelry, that doesn’t make sense. Different assets have different levels of importance and therefore require different levels of security. Second, the regulation requires the chairperson of the board of directors or a senior officer sign on the dotted line, attesting to their organizations’ compliance. This is the first cyber regulation that I know of that includes that kind of Sarbanes-Oxley like attestation.
Abby: Regarding the risk based requirements, what should organizations be doing now to comply?
Steven: Know what your systems and applications are, which ones are most important, and understand how they operate. Where are the sensitive data, systems and applications that, if compromised, would impact the organization, customers and shareholders the most? Understand the threats and vulnerabilities as well as the probability of those two meeting to impact your most valued assets. You can then prioritize how to protect them. Don’t try to stop every threat or patch every vulnerability. It’s not a practical approach because an endless number of new ones pop up daily. Manage the protection of your organization based on probability and impact, just as you do in most other aspects of protecting your business. Working towards a secure environment will lead to compliance just about every time, but at the same time, you need to make sure that you are checking all the boxes.
Abby: Does this regulation only affect companies in NYS?
Steven: Overall, the regulation covers entities in finance in NYS that have more than ten employees, five million dollars in gross annual revenue the last three years and ten million in total year end assets. That means that many small and mid-sized companies must adhere to the requirements. Due to the overall resourcing requirements, those companies may turn to outsourcing that responsibility to a managed services provider that may not be based in NYS. Though they may outsource the responsibility for security or other business processes, they cannot outsource accountability for compliance, and are still on the hook. Additionally, any third parties or outsourcing providers they use must comply as well, whether or not they operate in NYS. That’s the main effect this regulation has on companies outside of NYS. If you are an organization located in another state but responsible for managing an NYS financial institution’s security program, then you must do your due diligence in making sure you are fulfilling what’s required.
Abby: One last question. The core of the requirements became mandatory August 28, 2017. If organizations are not compliant by now, they have quite a bit of work to do. What are the penalties for not being in compliance with this part of the regulation?
Steven: At this point, the ramifications are unknown. NYS DFS does not hesitate to take enforcement action in other areas, and I would guess the same would hold true for blatant disregard for this regulation. However, it’s important to keep in mind that no governing body expects perfection. Perfection is not a risk management concept. The DFS is looking for a good faith effort to comply which includes documenting and demonstrating that effort. Also keep in mind that signed attestations that prove to be false could provide the basis for legal action by consumers or shareholders. If you are already running a tight risk based security shop, you could well be on your way to compliance. If not, appoint a responsible and accountable executive for implementing the regulation and get started.