On March 1, 2017 the New York Department of Financial Services (NYDFS) adopted a comprehensive set of cybersecurity requirements for Financial Services companies licensed to do business in the state of New York. The goal was to create a set of minimum standards designed to protect consumer data.
The standards set forth by the NYDFS outline the minimum processes, procedures and controls that need to be in place within an organization to protect against data loss. On an annual basis, an officer or a member of the management team of each licensed entity must certify to the state that it is fully compliant with the regulation. The first annual certification is due on February 15, 2018.
As that first annual deadline approaches, is your organization ready?
WHAT SHOULD I BE DOING TO COMPLY WITH NYDFS.500?
NYDFS NYCRR 500, or NYDFS.500, requires that organizations develop, maintain, and monitor a holistic cybersecurity program that is overseen by the senior leadership and officers of the company.
Under NYDFS requirements, licensed entities must have:
- Written policies and procedures that are approved by leadership and reviewed annually.
- A named Chief Information Security Officer (CISO) who is qualified to develop, manage and monitor the program.
- Annual Penetration Testing and biannual Vulnerability Assessments performed by qualified individuals.
- A cybersecurity-specific Risk Assessment performed annually.
- Common security controls such as multi-factor authentication, user reviews, and encryption.
- A documented and tested Incident Response Plan.
MY COMPANY DOESN’T HAVE A CISO. CAN WE NAME OUR IT DIRECTOR OR GENERAL COUNSEL AS OUR CISO?
While technically that is an option, the individual must possess the knowledge, skills and background to adequately fulfill that role. While a CISO can come in all shapes and sizes, industry certifications such as the Certified Information Systems Security Professional (CISSP) or Certified Information Security Manager (CISM) would be expected. These certifications require that individuals have several years of experience in cybersecurity prior to sitting for the exam, thereby excluding candidates that don’t possess the requisite experience. These certifications also require 40 hours of continuing professional education credits (CPE) on an annual basis.
MY COMPANY HAS BEEN LOOKING TO HIRE A CISO AND/OR REPLACE A CISO THAT RECENTLY LEFT AND THE COSTS SEEM VERY HIGH.
You’re not alone. Many organizations are finding it difficult to recruit qualified security professionals. The average tenure nationally for a CISO is anywhere from 18-24 months, with high turnover as security professionals are frequently recruited by other organizations. Recent studies have found that nearly 38% of these individuals leave for a significant increase in compensation. Due to this shortage of available talent, many companies have looked to engage outside firms or professionals for cybersecurity services, naming these individuals as their CISO to satisfy NYDFS requirements. This is explicitly permitted by the NYDFS and we have had a number of clients pursue this as a strategy in recent months.
MY COMPANY ISN’T READY FOR THE FEBRUARY 15, 2018 DEADLINE. WHAT CAN WE DO?
There are still options, even with the deadline quickly approaching. Within the guidance as set forth by the NYDFS, there is clear support for the fact that cybersecurity is viewed as a journey, not a destination. As long as an organization has a named CISO, has policies and procedures that have been approved by management, and a developed roadmap for the upcoming year that brings them into full compliance with the regulation, the organization can certify that it is in compliance on February 15th and execute the plan over the remainder of the year. However, the time to act is now, as many of these controls take time to implement and are best carried out over a period of time.
WHERE DO WE GO FROM HERE?
Regardless of your organization’s cybersecurity maturity or compliance with NYDFS.500, cybersecurity issues will continue to impact your business. We recommend a holistic cybersecurity strategy that includes, but is not limited to, monitoring trends and education, performing periodic penetration testing, use of multifactor authentication, having a defined and tested incident response plan, and good backups and tested data recovery procedures. If you are licensed in New York and need help complying with the regulations, or if you have any questions, feel free to contact us directly.