The Ides of March is a historical reference to a turning point in world history with the shift in power in Roman history, following the assassination of Julius Caesar. That turning point triggered a civil war and the creation of the Roman Empire. Given the historical references of the Ides of March in world literature, the week of March 15th has long since been portrayed as a time of turmoil, change, and angst.
I think it is quite ironic that one of the more significant privacy and security topics creating turmoil, change, and angst is coming at this same timeframe with the effective date of New York State’s new Cybersecurity requirements for financial services companies. The scope and scale of the new regulation has companies of all sizes assessing the implications, and trying to figure out the best way to navigate cybersecurity in today’s new virtual wars of cyber-attacks.
While any new regulation in the privacy and security space, focused on data protection has good intentions, they also tend to have unintended or unexpected consequences when operationalized or implemented. The functional tenets of the cybersecurity state regulation are quite like existing oversight and guidance facing regulated and examined financial institutions. However, the extension and reach to third parties and the need for effective vendor management trigger the scope to a larger footprint of organizations who may not have been monitoring this new regulation.
Components of the regulation
The regulation, issued by the Department of Financial Services in New York, directly affects those that operate under, or are required to operate under a license, registration, charter, permit, accreditation or similar authorization under Banking Law, Insurance Law, or Financial Services Law in New York state. The execution of the requirements will extend beyond the institution itself to adopt the controls and development of compliance programs to address the updated obligations.
- Maintenance of a cybersecurity program
- Cybersecurity policies approved by Board of Directors or committee
- Designation of Chief Information Security Officer
- Obligations for penetration testing and vulnerability assessments
- Third party service provider oversight due diligence and monitoring
The foundation of any cybersecurity program is a risk assessment designed to protect the confidentiality, integrity, and availability of information and information systems. FFIEC tools like the cybersecurity assessment tool have advanced the maturity of risk assessment processes for regulated and examined entities. Boards of Directors or their designee governing body need sufficient management reporting about the scope of risk and effectiveness of cyber security controls. While the regulation allows smaller organizations to rely on an affiliate company or an outside third party for the Chief Information Security Officer function, it does not take the accountability away from management or the Board of Directors for the risk to the organization.
Turmoil, Change, and Angst
Any new regulation triggers a change management process for assessment, implications, and action plans. However, the scope and reach of cyber security can affect so many components in our ecosystem that getting to “scope” of the project can seem daunting. Here are some questions I see emerging as organizations begin to develop their cybersecurity programs or service provider programs to meet the new expectations.
- Are there sufficient talent resources for cybersecurity personnel and intelligence to meet the expectations?
- What level of information systems risk assessment will meet the expectations, without creating duplication of risk assessment or reporting?
- Is the third party risk oversight or vendor management program mature enough to meet the adequacy expectations?
Evolving Third Party Risk
Managing third party risk has long been a part of the financial services industry. Five years ago, the updated OCC guidance raised the bar and was a turning point in driving maturity in the assessment of not just controls, but the assessment of the entire “Third Party Risk Management” or “Vendor Management” program. Continuous monitoring became the new terminology for ongoing oversight, but with cyber risks evolving, the uptick in new third party risks has created a wave of changes for service providers and for banking organizations.
The NY cybersecurity regulations expand the focus on third party service provider oversight by creating new baselines for control assessments in due diligence, risk tiering of vendors, data protection, incident response event notification, multi-factor authentication, and data retention. Over the next year, covered entities will be implementing their programs, requesting information from their vendors and service providers, while figuring out how to document their cybersecurity control environment.
Change is occurring, and when a state is proactive, it tends to affect the broader footprint in financial services. Organizations that operate in business across all states must either create a checkerboard approach to compliance or drive enhancements to process maturity to meet the higher standards.
My favorite quote from Shakespeare’s play Julius Caesar that addressed key tipping or turning points is “There is a tide in the affairs of men, which taken at the flood, leads on to fortune. Omitted, all the voyage of their life is bound in shallows and in miseries.” While we may be at a crossroads for many topics on the governance, risk, and compliance landscape, the New York State cybersecurity regulation is raising the bar or floating all boats in the harbor to grow in maturity for data protection. As a financial services industry, we will get past the turmoil, change, and angst of assessing and implementing and end up likely in a stronger position to combat the new cyber wars.