New York State Department of Financial Services (DFS) has published its revised proposal for what it calls a 'first-in-the-nation cybersecurity regulation' for New York regulated financial services. Publication was delayed by approximately one week following significant pushback from affected organizations on Dec. 22 2016.
"This updated proposal (PDF)," announced Financial Services Superintendent Maria T. Vullo, Dec. 28, "allows an appropriate period of time for regulated entities to review the rule before it becomes final and make certain that their systems can effectively and efficiently meet the risks associated with cyber threats."
There have been many minor changes to the original proposal first released in September 2016. These have attempted to make the requirements less onerous without weakening security. For example, it is now less prescriptive and individual implementation "shall be based on the Covered Entity's Risk Assessment." Annual penetration testing is now required "absent effective continuous monitoring, or other systems to detect, on an ongoing basis, changes in Information Systems that may create or indicate vulnerabilities."
However, DFS has made it clear that over the final 30-day comment period, only issues not already raised will now be considered. The current proposed document is likely to be the final regulation; and there will be little time for regulated organizations to ensure their compliance before it becomes effective on March 1, 2017. The requirement for annual compliance reports will be effective from February 15, 2018.
At a hearing on December 22, New York bankers raised a number of continuing concerns. These include the cost of compliance (which will divert funds from other priorities); the apparent requirement to employ a CISO (which is seen as an interference in the way organizations run their business); and potential conflict with other regulations (such as the federal rules of FFIEC, Federal Reserve, the OCC, the FDIC and even NIST).
The new 14-page DFS regulation is effectively a very detailed high level security policy document. It states what is required from financial services rather than how the requirements should be implemented. As such it is yet another set of compliance regulations that relevant companies need to meet.
There is a strong body of opinion among security officers that too many regulations can impinge on actual security efforts by diverting effort, and funds, away from the front line. Many suggest that regulations should focus around the NIST security framework; perhaps by persuading NIST to add specialist appendices. This would provide a single go-to source for what needs to be done.
In this instance, two of the main new requirements for New York financial institutions would be the need to employ a CISO; and the need for annual reports, effectively signed-off by the board with a certification document to be sent to the DFS.
Section 500.04 requires that 'covered entities' must designate a 'qualified individual' who is described as a Chief Information Security Officer (CISO). From that point onwards, that person is described as the CISO. This alone raises a number of issues. What qualifications are necessary for a CISO? Must the organization concerned redefine its current information security officer as a CISO?
The new requirement for annual compliance reports requires that the CISO "shall report in writing at least annually to the Covered Entity's board of directors or equivalent governing body." This will effectively be a statement on how the regulation is implemented, including details on 'material Cybersecurity Events'.
This much is already considered good practice, but frequently doesn't happen. Even where a report is delivered, there is no guarantee that the board will take much notice. The new regulation, however, requires that on February 15, 2018 and annually thereafter, the organization's Board of Directors or a senior officer confirm, or certify, to the DFS with a "Certification of Compliance with New York State Department of Financial Services Cybersecurity Regulations."
The purpose is clear and beneficial. The new regulation seeks to both define good security practices and ensure that the board is responsible for their implementation. It marks a new process where regulators don't simply stand outside of an organization with policy guidelines, but actually impose new business practices on the regulated entities.