New York State proposes game changing regulations for financial services organization and their suppliers
Last Friday New York’s Governor Andrew M. Cuomo announced a game changing stance to tackle the potentially state crippling threat of cyber-attacks. The regulation would require almost every bank, insurance company, other financial services institutions regulated by the State Department of Financial Services, and their vendors to have a Chairperson of the Board of Directors certify that they comply with the regulations.
For the first time since the Enron scandal, which lead to the implementation of the Sarbanes-Oxley act, New York state is putting the onus of cybersecurity, not on IT management or executives but firmly on the shoulders of senior / executive management. After careful review of the requirements, and intense discussions with attorneys, compliance professionals and other Chief Information Security Officers (CISO’s) the state may be responsible for an avalanche effect nationally and across critical industry sectors.
Although the proposed regulation is subject to a 45-day notice it is expected to become effective on 01/01/2017. At which time a transitional period of 180 days will allow organizations to submit to the state a certificate of compliance signed by the chairperson of the board stating that the organization has met the following key requirements:
- A cybersecurity program must be established
- A suitably qualified / named Chief Information Security Officer (CISO) must be designated and responsible for implementing, overseeing and enforcing the program
- A formal cybersecurity policy must be designed, documented, and implemented to ensure the security of information systems and nonpublic information accessible to, or held by, third-parties, along with a variety of other requirements to protect the confidentiality, integrity and availability of information systems.
- From 01/15/2018 the state will require notification of a cybersecurity event within 72 hours of detection.
Historically, Cybersecurity was regarded as an IT problem. It's now apparent that this attitude will be forced to change, New York State Department of Financial Services Superintendent Maria T. Vullo said, " Regulated entities will be held accountable and must annually certify compliance with this regulation by assessing their specific risk profiles and designing programs that vigorously address those risks."
At Kalki we strongly encourage members of the board to use grace period this as an opportunity to “know what you don’t know”. by seeking counsel from independent cybersecurity experts to ensure whether their organizations a) are in scope, b) have documented their implemented controls and c) have a plan to meet the compliance requirements.