After an initial delay, the New York State Department of Financial Services (NY DFS) finalized its new cybersecurity regulation that goes into effect March 1st (today).
The new rules require banks, insurers and other financial services firms to meet minimum cybersecurity requirements “to protect consumers and ensure that its systems are sufficiently constructed to prevent cyberattacks to the fullest extent possible,”.
We are all aware of the cybersecurity threats out there and the ramifications of a breach to an organization, including monetary, data and reputation loss. The fact remains, we cannot control the threat environment, but we can control our readiness to combat these threats. Therefore, I am going to skip the reasoning and philosophy behind the roll out of such a regulation and dive right into the requirements.
Here is a sample list of requirements that the NY DFS Cybersecurity regulation mandates:
Firms required to comply will need to designate a formal CISO who can ‘maintain a cyber security program’ that can ‘protect the confidentiality, integrity and availability’ of the data through appropriate governance structures and policy frameworks. The program must have detection and response capabilities. It also mandates the the designated CISO brief the board of directors annually (at a minimum) regarding the state of cybersecurity in their organization. Among other controls, it also instructs firms to scrutinize security at third-party vendors that provide them goods and services.
Is this news to anyone? I can understand the panic of seeing all these things on a formal regulation signed by the governor with penalties assessed for non-compliance, but it is my opinion, that many of these security activities (if not, all) were already taking place at most banks, insurance companies and other financial services firms. The financial services industry continues to possess the most mature security practices across the scale when compared with retail, manufacturing, media, education, healthcare etc.. and these requirements should be nothing but a formality in the majority of instances.
However, I will be the first to admit– the pushback/panic in the introductory phases was warranted. When the NY DFS introduced the first version of this regulation in September 2016, Gartner received many inquiries around the actual requirements for certain controls. Many clients were perplexed at certain requirements that say data must be encrypted,but they don’t say how, or where. They also say that privileged users must use two factor authentication (who defines privileged users?). There were also other inquiries around hiring of security staff, formalization of the CISO role, whether the listed policies are required etc.
During a public comment period (after the introduction), the financial services industry(FSI) raised the same concerns. Others argued that there wasn’t enough time to comply with these “stringent” requirements and some firms highlighted a lack of staff/budget required to implement these changes. Many were left scratching their heads and many more were scrambling last minute to ensure that they are compliant with these regulations. This resulted in certain additions and changes to the requirements. The NY DFS rolled out an adjusted version in December and approved a final version last month.
The biggest change? Everything and anything that FSI firms are doing in terms of cybersecurity must be through a risk-based approach. That now gives firms flexibility in determining the requirements that affect them the most. Rather than a “one-size-fits-all” approach, many requirements for both the cybersecurity program and the cybersecurity policy (or policies) are now explicitly tied to the institution’s Risk Assessment. For example, requirements related to an institution’s vulnerability and penetration testing, audit trail capabilities, and use of encryption, and certain multi-factor authentication rules are also now explicitly based on the risks and other issues identified in the Risk Assessment.
Is this the end of the road? No—Years ago, research analysts from Gartner and other security experts identified many of the same measures to be critical components of an information/cybersecurity program and organizations should have been realizing/implementing these measures before the roll out of this particular regulation.
This is good first step, but we must improve our model going forward. The realities of digital business have already kicked in. Organizations are embracing digitization and many more are participating in a digital ecosystem. While we talked about tens of thousands of elements in traditional information security, we may be looking at millions of elements in what we define as digital security. It will be impractical to manage those in the conventional methods that we are exposed to.
Digital business is also characterized by the reality that a lot of those initiatives are driven internally within the organization. This represents a shift in the governance model where in a conventional approach we have a centralized IT authority and a centralized security authority that provides assurance. In the digital business world, we start to lose control of centralization and it becomes more fragmented. And finally, there are newer risks that have emerged as a result of digital business. Yearly briefings to the board and formalization of cybersecurity policies are not enough to sustain an environment where new risks due to digital business are introduced practically everyday.
To conclude, I definitely think that the State of New York led the way in introducing state and industry mandated regulations for cybersecurity which they must now consider expanding this to other industries that have traditionally lagged in terms of cybersecurity practices. Other states can and must look into the lessons learnt from this experience to influence change to cybersecurity practices in their environments. However, we must remember that this is only a stepping stone, there is more room for improvement and adaptation to realities of cybersecurity risks.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.