Why NY State Financial Firms Should Consider a New Regulation the Floor, Not the Ceiling

As major milestone dates imposed by the pioneering and prescriptive New York State Department of Financial Services Cybersecurity Regulation (PDF) kick in on its first anniversary, now is an opportune time to consider the impact they will have on your financial services organization.

Financial services organizations outside of New York state should also keep an eye on the status of this first-of-its-kind regulation, as other states may follow suit.

Most notably, the regulation raises the bar in terms of security accountability, by requiring CISOs to annually update their board of directors (or senior officer if a board doesn't exist) on the progress of their security program, as well as annually certify compliance to regulators. In addition, as an additional testament to how valuable regulators believe a well-informed board is to the success of a security program, the board must also initially approve the organization's written security policies.

The introduction of this regulation is evidence that security concerns remain at the top of the agenda of priorities for state and federal regulators in the banking and financial services industry. Regulators recognize that the threat posed by cybercriminals over the past decade has continually and significantly increased.

Of the 23 components listed in the regulation, the 16 actionable components center around the creation of a policy-based security program that includes proactive measures to help prevent breaches and ensure that response plans are in place. This is a big shift from past regulatory focus for financial services companies, which was more about incident reporting. The New York state regulation specifically requires senior-level signoff on the existence and appropriateness of key security controls.

Non-compliance with the regulation can lead to fines or program reviews. The exact scope of those consequences is not completely known but it is safe to say, you don't want to be the first to find out.

Here are the upcoming milestones:

• Feb. 15: Covered entities are required to submit the first certification under the regulation for Notices to Superintendent, 500.17(b) on or prior to this date.
• March 1: The one-year transitional period ends. Covered entities are required to be in compliance with the requirements of sections Chief Information Security Officer 500.04(b), Penetration Testing and Vulnerability Assessments 500.05, Risk Assessment 500.09, Multi-Factor Authentication 500.12 and Training and Monitoring 500.14(b).
• Sept. 3: The 18-month transitional period ends. Covered entities are required to be in compliance with the requirements of sections Audit Trail 500.06, Application Security 500.08, Limitations on Data Retention 500.13, Training and Monitoring 500.14(a) and Encryption of Nonpublic Information 500.15.
• March 1, 2019: The two-year transitional period ends. Covered entities are required to be in compliance with the requirements of Third Party Service Provider Security Policy 500.11.

The impact of these regulations will vary significantly among organizations. For the most part, the expectations reflect a best practices-based security approach and overlap with other existing regulations and requirements with which you are already likely familiar. The higher level of accountability for documenting policies and procedures by boards of directors and CISOs may be new to some companies, however.

The good news is this regulation may give CISOs a direct opportunity to document the current state of controls and pave a path forward. Security departments may get a boost in stature as well. To maximize the opportunity with the level of visibility and accountability that is required, CISOs should have a well-thought-out roadmap for complying with the regulation that includes solid cost projections and feasible implementation timelines.

In most companies, CISOs won't have delivery responsibility for all elements cited in the regulation, but because they are the ones affirming compliance to regulators, they should ensure proper due diligence and signoff all the way down the organizational chain. A robust process must be agreed to by various stakeholders, including auditors, risk managers, legal and compliance and senior management.

Philosophy and culture play an important role in how this regulation will impact a particular organization. Organizations typically fall into two camps when it comes to regulatory mandates: one camp sees regulations as the "ceiling" and build their program only to meet the highest control that is required, while the other camp sees regulations as the "floor" that they build upon, taking the view that required controls are only the minimum standard that they need to meet.

Since it is likely that more regulations will be introduced over time, those organizations that consider regulatory standards the foundation and add on higher best practices for their security program have a much easier time adapting to evolving requirements.

We'll continue to watch for the emergence of similar regulations in other states, as well as the impact of non-compliance to the New York State Cybersecurity Regulation.

Matt Martin is VP of financial services security solutions at Trustwave.