90-Days In: What DFS Questions Do You Have?
Since the last time we wrote about the DFS Cybersecurity Regulations, the final version of the regulations went into effect on March 1st, 2017.
It’s 90 days later, and financial companies are racing to fix their cybersecurity posture, with the first set of deadlines quickly approaching. It’s no surprise that NY DFS stepped with this aggressive regulation when you consider the uptick in breaches in the financial industry in the last two years and the fact in New York breaches were up 40 percent last year.
It’s halfway through the 180-day period to achieve compliance with the first deadlines. You’ve probably come up with a general plan or talked about compliance with a few stakeholders, but you’re still left with a few questions.
Do the New York State Department of Financial Services Cybersecurity Requirements Affect My Organization?
We’re guessing you are either relieved because this regulation does not affect your company, confused about whether it affects your organization, or panicked because you do not know where to begin. Here’s a high-level breakdown for those who are still wondering whether this regulation impacts you:
Covered Entities: Those already operating operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the banking, insurance or financial services law.
Exempt Entities: Those that:
- Have fewer than ten employees, including independent contractors that are affiliated with the company and are located in New York or are responsible for the business of the firm.
- Have less than $5 million in gross revenue each of the last three fiscal years from New York business operations.
- Have less than $10 million in year-end total assets calculated in accordance with generally accepted accounting principles, including assets of all affiliates.
Note, however, that even if you’re not technically a covered entity, adherence –or lack of adherence– to these prescriptive regulations could still be used as an indicator for how mature your company’s cybersecurity program is. (This line of thinking is already circulating in the insurance industry, where a failure to comply might have ramifications for your insurance coverage.)
What is Expected of Firms from the New NY DFS Cybersecurity Regulations?
In short, covered entities are required to:
- Create and maintain a company-wide cybersecurity program (500.02)
- Create and maintain a cybersecurity policy (500.03)
- Designate a CISO (500.04)
- Conduct penetration and vulnerability testing (500.05)
- Maintain an appropriate audit trail (500.06)
- Limit access to that required by job function (500.07)
- Periodically Review App Security Guidelines(500.08)
- Perform a Risk Assessment (500.09)
- Ensure resources stay informed and trained (500.10)
- Develop policies and procedures around vendor risk management (500.11)
- Utilize multi-factor authentication or an approved equivalent (500.12)
- Ensure data is disposed of securely (500.13)
- Have cybersecurity awareness training (500.14)
- Encrypt non-public information (500.15)
- Have an Incident Response Plan and Process (500.16)
- Make Notices to Superintendent as Required (500.17)
To see the full regulations click here.
This Seems Like a Lot To Do In a Short Time!
The DFS structured a timeline that is tiered- this means not all of the requirements have to be fulfilled in the first 180 days. Take a look at the image below to get a better understanding of how the deadlines are structured.
This timeline allows you the time to prioritize your decisions about IT investments based on how large a gap you have to close and when the deadline is. A word of advice here: don’t fall victim to the email marketing campaigns rushing you to make a decision on a new solution and using DFS regulations as the hook. Instead, make your decisions about process changes or implementing new solutions based on the level of risk. (If you’re wondering how to visualize what risks are higher, take a look at our tips on creating a risk heat map.)
I’m Ready to Tackle the Challenge. What Should I Anticipate?
As an enterprise, you’ll need to stop viewing yourself as a fortress and start viewing yourself as a link in the supply chain.
Companies now have to think about themselves as a link in the supply chain, like a bulb burning out in a string of Christmas lights and making the rest of the line go dead–what happens to one organization now affects those connected to it.
Businesses have to start planning for how to recover from data breaches both as a primary party and a third party. This means a lot more communication about security hygiene between links in the supply chain (and the DFS), mandatory notification times when it comes to your partners, and including third party vendors in recovery plans.
You can bring on a third-party security vendor to help.
Life in the IT department of going to change is going to change quite a bit for the average NY financial institution, even more if you happen to be a small company who didn’t have to employ a CISO (only 59% have a CISO now) and may not have even employed a DLP product or multi-factor authentication.
Fortunately, the regulations recognize the relationships financial institutions have with outsourced security vendors and SaaS (around 70% of financial institutions report supplementing their own security using a mix of these) and allow for those vendors to deal with some of these security changes. This includes allowing for 3rd party CISOs, SOCs, and vetting/reporting to the security departments of partner organizations.
Creating and measuring progress against easy-to-understand security metrics for your company and its vendors is vital.
Whether you’re conducting a self-assessment or a third-party assessment, developing a clear set of metrics that allows you to easily evaluate progress and adjust your cybersecurity controls is important. The SecurityScorecard platform can help you by providing a board-friendly view of your third party risk management efforts (500.09) and your self-risk assessment (500.11). Additionally, the platform allows you to compare your risk profile against others in the financial industry, so you can see how your progress measures up to your competitors.
By shifting your focus from “checking the box” to making real improvements in your company’s cybersecurity posture, the DFS’s long list of requirements suddenly turns from a daunting task list to a helpful and detailed guideline. (Plus, this guideline is one that comes with the added bonus of being required by law- a factor that your board is certainly paying attention to.)