Yesterday, the Department of Financial Services for New York unveiled new cybersecurity rules for financial institutions and insurance companies. This is another step in government intervention requiring businesses that have access to sensitive personal information of its customers to take extra steps to protect their identities.
The regulations will require banks to: establish a cybersecurity program; adopt a written cybersecurity policy; designate a Chief Information Security Officer (CISO) responsible for implementing and enforcing the new program and policy; design policies and procedures to ensure the security of information systems and non-public information accessible to, or held by, third-parties; and be compliant with a variety of other requirements to protect the confidentiality, integrity, and availability of information systems. Let’s break each one of these requirements down further to more thoroughly understand what each new regulation entails for a company.
Cybersecurity programs are intended to ensure the integrity, confidentiality, and availability of data and information systems, crucial pieces in a company’s infrastructure. Companies must now establish a standalone cybersecurity program. This comprises identifying risks, detecting threats, responding to cybersecurity events, and recovering from breaches. Many institutions may already have these processes somewhere in their IT departments; however, the new regulation requires a separate and defined cybersecurity program that is distinguished from other aspects of IT. In addition to all of the above, additional regulations include aspects of cybersecurity programs such as penetration testing.
Cybersecurity programs are nothing without cybersecurity policies. Much like a Human Resources department’s policies, the codification of the policy is integral to its implementation. Institutions must adopt a written policy in order to protect information systems. The regulation requires companies to have policies such as incident response, systems and application development quality assurance, and vendor service provider management, among many others. Composing these policies may be difficult for a smaller institution, but there are many resources online that aid in developing cybersecurity policies.
Another new regulation that institutions must adhere to is designating a Chief Information Security Officer (CISO) to be put in charge of implementing and enforcing the programs and policies mentioned earlier. The CISO must report biannual findings to the board regarding the status of cybersecurity operations, potential threats, and how the company can better mitigate future risk. Having a CISO in charge of cybersecurity helps to centralize the operations and have someone who can be accountable to the board for ensuring the protection of data and information.
Regulated companies must have policies and programs designed to secure information that is accessible to, or held by, third-parties. Third-parties and vendors pose significant risk for companies that do not have a full range of cybersecurity policies and programs in place. Assessing vendors, comparing responses, and ensuring compliance with industry standards are necessary steps that companies must take to secure their information. Most companies do not already have third-party vendor risk management programs in place, but there are cost-efficient solutions, such as Privva, that offer a comprehensive platform to handle vendor risk management in a centralized, hassle-free environment.
All of these regulations are sure to take their biggest toll on smaller financial institutions that cannot spare the time and money in order to bring them up to speed with the fast-changing world of cybersecurity. Fortunately, there are solutions to many of these problems. Online platforms and resources can help companies establish a foundation for security where there was none before. The proposed regulation would take effective January 1, 2017, with first reporting due to the regulatory agency in January 2018.