By Joe Alecci, IT Senior Manager
Last fall, the New York Department of Financial Services (“NYDFS”) released a statement regarding potential new regulations aimed at increasing cybersecurity defenses at financial institutions. Fast forward to one year later and the NYDFS ups its game once again. In September 2016, the NYDFS proposed new cybersecurity requirements to protect New York State Financial Institutions and consumers, a “first-in-the-nation regulation”, including the formal establishment of a Cybersecurity Program, a formal Cybersecurity Policy, the formal designation of a Chief Information Security Officer (“CISO”) as well as additional requirements related to Third-Party Service Providers. While many aspects of these requirements are already in place and operational at many institutions, there are some changes and additional action steps that would need to be taken if the proposed regulation changes are formally adopted. Some of which could potentially be a financial and operational burden to a number of institutions.
One important aspect of the proposal is the requirement of regulated financial institutions to designate a “qualified” individual to serve as the CISO responsible for oversight of the institution’s Cybersecurity Program. Although many institutions already have a designated Information Security Officer (“ISO”), this role is usually an “add-on” to an individual with other responsibilities, such as the CFO, COO or IT Officer/Administrator. The term “qualified” leads me to believe that the NYDFS is concerned about these current practices and the ability of some of these individuals to adequately implement, oversee and enforce a Cybersecurity Program. Therefore, institutions will need to determine what it takes to be a qualified individual in this role and if their existing practices meet this requirement. Moreover, with the expansion of responsibility, it may make sense for this to be considered a separate position.
The CISO needs the skills to adequately assess the institution’s ability to ensure confidentiality, integrity and availability of information systems, identify cyber risks, report on the effectiveness of the Cybersecurity Program, determine and respond to material Cybersecurity events and present remediation actions. Additionally, the CISO needs to make decisions and be able to enforce the institution’s Cybersecurity Program without any inherent conflicts of interest. For example, can a CFO without any IT security experience get beyond cost to adequately assess the benefits of additional Cybersecurity technology?
The NYDFS proposals suggest the need for more clearly defined roles and requirements for individuals responsible for ensuring the security and availability of financial data at banks and other financial institutions. Although I believe that there are some situations where a dual role is adequate, the NYDFS wants to ensure that CISOs don’t just “talk the talk”, but can “walk the walk” as well. Ultimately, with the threat of cyber-attacks on the rise, it is an absolute necessity for institutions of all sizes to perform their own skills assessment and take a closer look at their existing practices to ensure they are where they need to be when it comes to cybersecurity governance. While this may vary at each institution, the goal is the same – to guarantee the utmost protection for its customers.
Dates to Remember
Comments on the Proposal are due by November 12, 2016. If no modifications are made, the Proposal would become effective on January 1, 2017, with a 180-day grace period for compliance. Therefore, banking, insurance and financial services firms are required to have a Cybersecurity Program and other requirements in place by June 30, 2017. Covered Entities must certify compliance on an annual basis, starting January 15, 2018.
Joseph Alecci, CISA, CISM, CISSP, CRISC
Senior Manager – IT Audit & Information Security
Joseph Alecci leads the IT/Cybersecurity Audit & Risk Management Group at P&G Associates. He has over 20 years of experience in information systems and auditing management and is a member of the ISACA N.J. Chapter Board of Directors.