Pressure builds as the NY DFS cyber regulation deadline of February 15th approaches. Automation can accelerate meeting the requirements.
When the New York Department of Financial Service (NY DFS) first published cybersecurity regulations in the fall of 2016, meeting the deadline didn’t seem overly daunting. Unfortunately, many financial services institutions that fall under the new regs procrastinated, and some undoubtedly missed the August 28 deadline. Now the first of several crucial compliance reporting deadlines is rapidly approaching, with a filing due on or before February 15.
NY DFS has been aggressive about enforcing its regulation of the financial services industry. Most recently, it “sanctioned Western Union for allowing a lax anti-money laundering (AML) program to linger and limp along for more than a decade, with rogue agents moving hundreds of millions of dollars tied to potentially illicit scams – aided by executives and managers covering their tracks and failing to report suspicious activity.” There is no reason to believe they will be any less aggressive in enforcing compliance with their cybersecurity regulations.
Long before now, astute organizations will have already filed basic statements showing their compliance with the following directives:
- Establish a cybersecurity program that includes: a risk assessment and addresses cybersecurity risks; procedures to protect non-public information (NPI); the detection of and response to cybersecurity events; and access privileges.
- Adopt a written cybersecurity policy approved by the board of directors (or a senior officer) that will address:
- information security,
- data governance and classification,
- asset inventory and device management,
- access controls and identity management,
- business continuity and disaster recovery planning and resources,
- systems operations and availability concerns,
- systems and network security and monitoring,
- systems and application development and quality assurance,
- physical security and environmental controls,
- customer data privacy,
- vendor and third-party service provider management,
- risk assessment, and
- incident response.
- Appoint a Chief Information Security Officer (CISO) who reports to the Board and oversees the Cybersecurity Program’s implementation and enforcement.
- Develop a cybersecurity training program for employees using qualified firms, and be able to validate that they have the necessary internal/external resources to meet their new responsibilities.
- Implement an Incident Response Plan enabling the organization to notify the NY DFS Superintendent of a significant cybersecurity incident with 72 hours.
The looming February 15th deadline requires the filing of a Certification of Compliance with the NY DFS Superintendent, along with records, schedules, and data. Right behind is a March 1st deadline: requiring a CISO report sent to the board of directors (or other governing body); the beginning of continuous monitoring (penetration testing and other vulnerability assessments); the beginning of periodic risk assessments; and the implementation of multi-factor authentication for external parties accessing internal networks.
When the original DFS regulations were published, what became immediately clear to us was their alignment with the well-established Cybersecurity Framework (CSF) developed by the National Institute of Standards and Technology. While a few additional specific requirements (e.g., requiring appointment of a CISO) went beyond CSF controls, Cybernance was easily able to map the rest of the regulations to CSF. We further established that an automated solution for assessing and managing a CSF-based cybersecurity program would empower an organization to rapidly gather and manage the information needed to achieve full compliance with the new regulations.
In a blog post last year from Carson Inc., the author suggested that organizations “build out a security framework, through which 23 NYCRR 500 and other regulations can be simultaneously satisfied and tracked. Use of a security framework has the added benefit that you will be following best security practice to protect your organization’s information and customers. The NIST Cybersecurity Framework (CSF) is just such a framework.”
What does automation mean for an organization working to catch up with the looming deadlines? Two benefits seem obvious to us:
- Rapid validation that the newly established cybersecurity program is comprehensive enough to satisfy current and future requirements. Imagine being able to complete an initial assessment of NIST CSF in a couple of days using an automated solution, rather than the weeks (at a minimum) needed to do it manually with spreadsheets.
- Establishment of a robust Cybersecurity Management Improvement Program that will guide the organization toward greater compliance with NY DFS regulations. After an initial automated assessment, the same system provides a prioritized set of needed actions that fuel a continuing cybersecurity management improvement program.
If financial organizations are serious about increasing their long-term cybersecurity resilience, following the NY DFS regulations to the letter is an excellent start. For those whose board and management are serious about long-term risk mitigation, implementing a program of continual improvements based on NIST CSF will further enhance the organization’s ability to mature its cyber measures, a move that will pay dividends for years to come.