Financial institutions have until Oct. 2017 to comply with many of the New York State Department of Financial Services (DFS) Cybersecurity Requirements for Financial Services Companies (23 NYCRR 500). Affected companies must issue a certificate of compliance by Feb. 15, 2018 for certain parts of the regulation. The law, which took effect on March 1, 2017, is in response to the increasing cybersecurity threats posed to customer information and financial IT systems.
What does this mean for you?
If you are a financial services organization licensed and/or regulated by the New York State DFS, you are now required to assess your specific security risk profile and design a program that addresses your organization’s risks, as well as file an annual certification that confirms you are in compliance with the regulations. And for those outside of NY, take heed, as this will likely spread to other states.
Let’s break it down
The new rules affect virtually every aspect of IT security at financial firms: NYCRR 500 covers the creation (or updating) of a firm’s cybersecurity program.
The regulations offer guidance on establishing cybersecurity policy and clarify the role of the CISO. Sub-sections of the rules discuss steps financial firms should take regarding penetration testing and vulnerability assessments, audit trails, access privileges, application security and much more.
At the root of all this is IT security mindfulness and the recognition that IT Security is a process, not a project. After all, projects begin and end, whereas security mindfulness is persistent. The requirements can be grouped into two general stages, that is, 1) setup and implementation of a security program, including an owner (CISO) and 2) practice it on a daily basis.
Recognizing that many firms may not have the necessary skills in-house, the regulations allow for many of these functions to be co-sourced to specialist firms. Indeed, the pervasive skill shortage of IT security talent makes the co-sourcing route an attractive option.
Co-sourcing is not outsourcing
The core of the regulation requires that firms base IT security decisions on sound risk management practices. This means documenting policies and procedures for incident handling and response, monitoring audit trails and training employees. It’s a lot for even mid-size organizations to satisfy, even in sprit much less practice.
Co-sourcing is based on a long-term relationship and emphasizes values traditionally associated with partnering rather than with vending. This is different from outsourcing, in the sense that outsourcing is dumping your problems onto someone else, whereas co-sourcing is all about working hand-in-hand.
This gives rise to the opportunity for managed security services providers (MSSPs) to aid financial institutions in implementing a cybersecurity program that can identify and assess internal and external cybersecurity risks, detect and respond to cybersecurity events and fulfill applicable regulatory reporting obligations.
Complying with the mandate can be prohibitively expensive for small and mid-size banks, credit unions and financial organizations. Many can’t afford to hire a CISO – even a fractional or interim CISO – or assign the internal resources to fulfill the mandate of “making risk management the core of your security decisions. This is where MSSP services fill the skill and budget gap.
Technology alone is about 15 percent of the solution. Expert analysts and robust, disciplined and documented processes, the core of the services an MSSP offers, are the remaining 85 percent.
EventTracker also offers educational and practical resources to help bring financial institutions into compliance with the regulations, such as an April 6th webinar: 23 NYCRR 500 Compliance: Everything you need to know. Registrants receive a complimentary Incident Response Plan fulfilling one of the State’s requirements.
Consider these regulations arise out of concern that financial firms are facing increased cyber threats today and establishes “regulatory minimum standards,” intended to foster the creation of effective cybersecurity programs in the financial sector.
The goal is to protect customer information by securing the IT assets of regulated entities. Each financial firm must assess its risk profile and design a program that mitigates the most serious risks. 23 NYCRR 500 stays away from prescriptive advice. It’s not a cookbook. Rather, it provides guidelines for senior management. For those organizations constrained by budget and in-house skilled resources, co-sourcing an organizations’ internal cybersecurity efforts with a MSSP presents a viable way forward.