The FBI estimates that in 2014 alone hackers stole over 500 million computer records from financial institutions in the United States. The lack of Federal action to protect consumers prompted The New York State Department of Financial Services (DFS) to draft what it called a ‘first-in-the-nation cybersecurity regulation’ for New York regulated financial services. The regulation came into effect in March 2017.
The first deadline for financial services organizations is February 15, 2018, with another urgent requirement companies have to meet on March 1, 2018.
What is the Policy About?
The 14-page DFS policy is a set of high-level cybersecurity guidelines. The compliance handbook details what financial services need to do to meet cybersecurity objectives. It does not direct organizations on how they need to meet the requirements.
The guidelines specify security best-practices and guarantee that the board is accountable for their application. It marks a departure for regulators, who in the past preferred not to enforce compliance. The primary areas of concern of the policy are:
- Creation of a Chief Information Security Officer (CISO) role
- Development of a Cybersecurity Program
- Creation and Adoption of a Cybersecurity Policy
- Third-Party Service Providers
The Rise of the CISO
One of the most significant regulations to come into force involves a C-level role devoted to cybersecurity that reports directly to the Board of Directors. Guidelines specify that “covered entities” should designate a “certified person” referred to as a Chief Information Security Officer (CISO).
The CISO “shall report in writing at least annually to the Covered Entity’s board of directors or equivalent governing body.” The CISO’s report should declare how the enterprise executes the policy. The report also details “material Cybersecurity Events”; the CISO has to divulge to the Board when cybercriminals have breached company computer defenses.
The CISO has a lot to contend with as the first anniversary of the DFS guidelines approaches.
Dates to Know
By February 15, 2018, financial services in the state will have to provide DFS a declaration of compliance with the guidelines. Enterprises send the accreditation through DFS’ online cybersecurity website.
Then, by March 1, 2018, covered entities have to send their annual compliance reports to their boards, governing bodies, or other suitable individual/committees for approval. Enterprises must also have on-site:
- Routine cybersecurity awareness training;
- Annual penetration testing and vulnerability evaluations instead of “effective continuous monitoring, or other systems to detect, on an ongoing basis, changes in Information Systems that may create or indicate vulnerabilities”;
- Multi-factor authentication controls;
- A procedure to complete documented risk assessments of information systems to ensure compliance with written policies and procedures.
DFS will integrate cybersecurity into all its future evaluations. DFS Superintendent Maria Vullo stated that “DFS’s regulation requires each entity to have an annual review and assessment of the program’s achievements, deficiencies and overall compliance with the regulatory standards.” DFS intends to help financial institutions fend off cyber attacks by taking a more active role in examinations.
Financial Industry Push-back
Many in the financial industry are concerned that conforming to the DFS guidelines will divert efforts and funds from the technology solutions that could defend enterprises against cyber intrusion. Some in the community would prefer that instead of the State of New York creating its own regulations it adopt policies based on the National Institute of Standards and Technology (NIST) cybersecurity structure. This would provide a single regulatory reference that would facilitate meeting Federal compliance standards whenever they should be enacted.
No matter how federal and other state governments protect financial and customer data, however, banks and large financial institutions in New York State still have the DFS compliance requirements to meet this Thursday, February 15 and again on March 1. Time has almost run out.
Coranet is a certified Woman-Owned Information Technology Organization that has been meeting the requirements of Enterprise and Government entities for over 30 years. Network Engineering and Technical Support is part of our foundation and we continue this proud tradition with a 360-degree approach to technology solutions and services in the areas of Audio Visual, Network & Physical Security, Wireless/Copper Infrastructure, and Consulting/Project Management. Coranet is ISO 9001 registered, Lean Six Sigma and WBENC certified.
Please contact us at Sales@coranet.com for more information