Gov. Andrew Cuomo of New York announced Thursday final regulations that require financial services institutions to establish and maintain strict cybersecurity standards and to report them to the state’s Department of Financial Services.
DFS first proposed the regulation in September and was met with strong opposition from industry groups that said it was too strict. The mandate was revised in December to push back the compliance date. The regulation will take effect on March 1, and financial firms in New York will have until Sept. 1 to comply.
“New York is the financial capital of the world, and it is critical that we do everything in our power to protect consumers and our financial system from the ever increasing threat of cyberattacks,” Cuomo said in a statement. “These strong, first-in-the-nation protections will help ensure this industry has the necessary safeguards in place in order to protect themselves and the New Yorkers they serve from the serious economic harm caused by these devastating cybercrimes.”
Indeed, the mandate prescribed by the New York DFS “goes beyond even what the SEC and FINRA have put forth,” according to John Cunningham, chief information officer and chief information security officer for Docupace.
Financial firms are being asked to “open the kimono” on their cybersecurity practices and report annually to the state superintendent on gaps in their firms and what they’re doing to remediate them, he said. Those reports must be retained for five years, Cunningham said in an interview with ThinkAdvisor. Cybersecurity programs must also include policies for regularly disposing of nonpublic information it no longer needs.
Firms must report all cybersecurity events, even unsuccessful ones, within 72 hours of discovery, he added.
Justin Kapahi, vice president of solutions and security at External IT, called the mandate “one of the more prescriptive action summaries I’ve seen in a while.”
“Right off the bat, you see that much more prescriptive about the kind of IT policies you have to have, exactly what should make up those IT policies, and how you’re supposed to use those policies to measure your risk. That’s something that the SEC infers, but [the New York DFS] actually prescribes,” Kapahi told ThinkAdvisor.
New Role for CISO
The regulations require financial institutions to assess their risks and maintain a cybersecurity program that will “protect the confidentiality, integrity and availability” of their information systems. Among the specific actions they must take are to identify and assess risks to their systems; implement “defensive infrastructure”; detect and respond to cybersecurity events; to recover from a cybersecurity event and resume normal operations; and to report on their program annually to DFS.
Cunningham pointed out some areas where firms may struggle to meet the mandate’s regulations.
One is in the requirement to have a “qualified person” in the chief information security officer role. “In the past, companies just designate their CFO as the CISO, but that’s probably not going to be OK anymore.”
Cunningham recommends firms that want to hire their own CISO look for someone with experience and professional designations like the Certified Information Systems Security Professional (CISSP).
The regulation explicitly allows firms to use an affiliate or third party as a CISO, but requires that the firm retain responsibility for cybersecurity compliance and designate someone within the firm to be responsible for the third-party CISO, who must also meet the requirements of the mandate.
“The firms themselves have to understand what’s going on. You might have all these capabilities, but not all of them turn them on, or they refuse to,” Kapahi said, noting some clients will refuse even to use two-factor authentication. “I personally have to get on the phone and argue with people.”
Cunningham said, “The role of the CISO has been elevated by this law. It really talks to the need for the CISO to be engaged at the highest levels of the business to provide a written annual report to the board of directors.”
Kapahi said that getting a qualified person in the CISO role is something firms should move quickly on, but when he conducts security assessment, he finds “more often than not, the person assigned to the security of the company is someone who is not even remotely qualified to do so.”
In addition to the difficulty finding someone qualified to act as the CISO, firms may struggle to find someone who wants to take on the challenge. The law “places enormous responsibility on the CISO,” Cunningham said, and “a lot of personal, civil and potential criminal liability if the CISO misrepresents” the firm’s cybersecurity practices.
The easiest action in the mandate for advisors to address, and in the nearest term, would be the requirement to implement security awareness training for staff, Kapahi said. “Most IT providers now can help you administrate that.”
He added that employees are the biggest cybersecurity risk to firms. “If you look at all cybercrime,” he said, “90%-plus is due to employee misuse of the system, or not [recognizing] a phishing attempt.”
There are some exemptions to who is covered by the regulation. Firms with fewer than 10 employees are exempt. Firms with less than $5 million in gross annual revenue in each of the last three fiscal years, and those with less than $10 million in year-end total assets, are also exempt.
However, Kapahi noted that’s in “exact opposition to the SEC’s priority letter, which prioritizes smaller firms.”
“The game has changed. You can’t just take a technology guy or your CFO and make him your CISO anymore,” Cunningham said.
“By meeting these rules, they’re going to be better able to meet SEC’s rules,” Kapahi said. “You need to be safe. These are regulatory requirements, but you need to do this stuff anyway.”
— Read Is Your Data Breach Response Plan Good Enough? 3 Ways to Stress Test It on ThinkAdvisor.