New York Cybersecurity Regulation Holds Financial Services Boards Accountable
May 16, 2017
Are you willing to stake your personal reputation on your financial institution’s cybersecurity?
If you are a board chair of a company regulated by the New York State Department of Financial Services (DFS), then that is exactly what you have been asked to do.
The new DFS Cybersecurity Requirements for Financial Services Companies direct the chairperson or another senior officer of covered entities to certify by Feb. 15, 2018 (and every year thereafter), that the cybersecurity program complies with this extensive regulation.
No other government regulation holds boards of directors directly accountable for their organizations’ cybersecurity practices. In doing so, DFS underscores the seriousness with which it views the “ever-growing threat posed to information and financial systems.”
In just the last few years, the global cyber-criminal community has come of age and is threatening the very foundation of our banking system. Previously, cyberattacks on banks focused on gathering login credentials and credit card data. The threat profile now has progressed beyond confidentiality of information, as was dramatically demonstrated in last year’s attack on the Bank of Bangladesh. The headline of that story is not so much the $81 million the thieves stole. The truly scary part is that, by infiltrating the blood stream of the financial system—the SWIFT network—the hackers compromised the integrity of the banking system itself.
New York Requires Risk-Based Cybersecurity Program
The DFS regulation takes a more comprehensive approach than anything we’ve seen so far. Not only does it mandate a cybersecurity program, but it goes on to provide detailed criteria for what those programs should look like. In the original proposed rule, these criteria were so detailed and prescriptive that critics raised concerns about the compliance burden, especially for smaller entities with limited resources.
In response to this “one-size-fits-all” concern, the DFS final rule requires a risk-based approach that includes periodic risk assessments, tailored and updated as needed to address changes in the institution’s operating environment and threat landscape.
The Problem with IT Risk Assessments
Risk assessments are not new to banks and other large financial institutions, but too often they consist of superficial compliance checklists. Checking ‘yes’ or ‘no’ on a list of compliance requirements is, at best, a risk avoidance strategy. It does nothing to inform the business about potentially devastating operational and financial risks.
Another problem with traditional IT risk assessments is that they start with faulty assumptions about the assets that are truly at risk. The IT perspective tends to define these assets as technical infrastructure — a server or a firewall, for example. These technical components, while important, do not represent the true value that is at risk for a financial institution.
What does represent value for a financial institution? Think about the source code that powers online financial transactions. Consider your institution’s strategic plan, or your customers’ account information, or the applications that your customers depend on 24×7. These “digital assets” are the lifeblood of your company. Compromising their confidentiality, integrity or availability would cause significant financial, reputational and operational damage to the institution and its customers.
Gain Peace of Mind Through Independent Assurance
With its Certificate of Compliance, New York DFS places accountability for cybersecurity squarely in the laps of financial institution boards of directors.
Putting your name on the line requires a high level of confidence that your institution’s cybersecurity program measures up to the stringent DFS requirements—confidence that can be gained through independent assurance from an objective third party. In addition to giving the board and management peace of mind, independent assurance reporting on privacy and security controls increasingly is becoming a cost of doing business in the high-stakes financial world.
Two strong assurance reporting options include certification against the ISO 27001 information security standard and a new report based on the American Institute of CPAs’ cybersecurity risk management reporting framework. Both reporting options provide a strong framework for assurance that the cybersecurity program is compliant with regulations, and more importantly, that it is up to the task of protecting the institution and its stakeholders.