Proposed N.Y. Cyber Regulations Follow NIST Framework

Alexander Hiznay
| 10/13/2016

In September 2016, the New York State Department of Financial Services (DFS) proposed a historic regulation that will require financial services organizations to maintain a cybersecurity program. Over the past few years, the DFS has conducted research on financial services companies’ cybersecurity programs to identify how regulation may lead to fewer data breaches. The results of the research1 show an opportunity for increased awareness and management of cybersecurity risks. Of the institutions surveyed:

  • Twenty-two percent reported that they “need to investigate further to understand [information security] risks.”
  • Fewer than 27 percent “have already implemented policies and procedures to mitigate information security risks associated with cloud computing.”
  • Only 36 percent have imposed security requirements on subcontractors of third-party vendors.
  • Only one-third reported that senior managers received monthly information security reports.
  • Only one-third had a reporting structure that provides information security reports to the CEO.

The proposed DFS regulations attempt to improve upon these deficiencies by requiring the creation of a comprehensive cybersecurity program addressing key requirements in five areas.

  • Establishment of a cybersecurity program. This component of the regulation borrows much from the existing National Institute of Standards and Technology (NIST) framework for improving infrastructure cybersecurity. The framework consists of five objectives: identify, protect, detect, respond, and recover. The DFS wants organizations to develop or adjust their existing plans to focus on controls that meet these objectives.
  • Adoption of a cybersecurity policy. For many institutions, this is nothing new. Most organizations have a cybersecurity policy in place that covers many of the essential topics the DFS regulations would enforce – continuity planning, identity management, and physical and network security. The new regulation also includes a requirement to make data governance and classification, customer data privacy, and vendor and third-party service provider management guidelines a part of the overall cybersecurity policy.
  • Chief Information Security Officer (CISO). This requirement draws heavily on the research previously referenced. The associated reports summarize survey results about the communication between those responsible for mitigating cyber risk and the rest of management. Based on the findings, the DFS is proposing that organizations appoint a CISO to improve communication shortcomings while also improving board-level visibility of cyber risks. Under the new regulation, the CISO would report to the board at least biannually on the effectiveness of the cybersecurity program.
  • Third-party service providers. More and more companies rely on services from outside parties for critical – and risky – business functions. The DFS now recognizes how vulnerable organizations are due to this outsourcing. The proposed regulation aims to ensure organizations take a security-first approach with vendors and are as involved as they can be with the cyber risk management of these outsourced solutions.
  • Additional requirements. The last component of the proposed regulation addresses a broad spectrum of cybersecurity controls, highlighting other trends that were noted in the studies conducted by the DFS. It addresses several key controls such as a requirement for annual penetration assessments, employee cybersecurity awareness training, encryption of data both in transit and at rest, as well as development of an incident response plan.

1 Research results can be found in the following reports: Report on Cyber Security in the Banking Sector, Report on Cyber Security in the Insurance Sector, and Update on Cyber Security in the Banking Sector: Third Party Service Providers.