In March 2017, the New York State Department of Financial Services passed 23 NCRR 500, which establishes cybersecurity requirements for financial services companies. The regulation is one of the first to advocate a risk-based approach to security that does more than simply react to threats.
Core to the regulation is the completion of a risk assessment that can be used as the basis for securing organizations. Instead of hard-coding specific measures into the regulation, most provisions are prefixed one way or another with the phrase “based upon the covered entity’s risk assessment.” Using a risk-based approach builds in flexibility that makes the regulation more adaptable to industry and technology changes that occur over time and allows practitioners to focus on their security program rather than just compliance. A properly-conducted risk assessment also provides CISOs, CFOs and CROs with critical information that they can integrate into their financials, insurance coverage and overall picture of enterprise risk.
Depending on their maturity and specific strengths and weaknesses, different companies will face different challenges in complying with the NYS DFS cybersecurity regulation. Compliance will be especially challenging for small companies—those with up to 10 employees, $5 million revenue and $10 million in assets—who will need to get the basics in place when it comes to people, processes and technology.
The NYS DFS cybersecurity regulation requires companies to appoint someone with a sufficient level of cyber expertise, hire a chief information security officer, or outsource the responsibility to a third party that specializes in cybersecurity. This means that companies can no longer make the “IT guy” a jack-of-all-trades, including managing anything cyber-related.
On the process side, establishing, documenting and implementing up-to-date and appropriate policies and procedures related to cybersecurity is a challenge even for large corporations with teams of resources dedicated to the task. For small companies, which are often accustomed to winging it with verbally-communicated processes, complying with the regulation’s requirement to carry out documented risk assessments “in accordance with written policies and procedures” will take some time and attention. If they do not have written cyber policies and procedures to begin with, many companies will be starting from scratch—and often without an understanding of what a proper risk assessment entails or an in-house expert to lead the process.
Implementing the right technical controls that align to the company’s processes and procedures is also important. The NYS DFS cybersecurity regulation states that after performing a risk assessment, companies should “allow for revision of controls to respond to technological developments and evolving threats” and that companies “must use defensive infrastructure and implement policies and procedures to protect their information systems, and the nonpublic information stored on those information systems, from unauthorized access, use or other malicious acts.” Smaller companies often have more informal controls on the technical computing environment, which could make compliance difficult and potentially expensive.
For small companies that are behind the curve, they will need to add the people, processes and technology to better control who is accessing their valuable information assets, and how they are accessing and interacting with those assets. The answer in many cases will be to outsource to managed security services or a cloud provider. It is important to note that while responsibility can be outsourced, accountability still lies with the board and senior executives who certify compliance.
Large financial services companies face their own set of challenges when working to comply with the NYS DFS cybersecurity regulation. Most companies already struggle to reconcile their compliance with the many other existing regulations, and now they have one more to add to the stack. With resources already spread thin trying to comply with regulations while also protecting their environment, dedicating even more time towards compliance using the same amount of manpower and resources will continue to distract from their real mandate of security. Large companies also have more complicated architectures with larger attack surfaces, so “identifying and assessing internal and external cybersecurity risks that may threaten the security or integrity of nonpublic information” will come as a challenge for those that do not have a central place for collecting and analyzing cyberrisk data.
Performing the regulation’s required risk assessments and properly managing cybersecurity in general requires companies to have visibility into their assets, especially those that, if compromised, would most impact the business, its customers and shareholders. But if a company does not know where its most important assets are located, who is accessing them and how they are interacting with them, how can a risk assessment be performed? How can it properly monitor and protect those assets?
Finally, the NYS DFS cybersecurity regulation mandates that companies provide notification within 72 hours after determining a breach has occurred. Large companies have red tape and layers of legal and reporting for just about every part of their infrastructure. Cutting through that bureaucracy within the required time may prove difficult.
So how can companies overcome these challenges? Small companies should either look to hire an in-house cyber leader or find a managed security services provider. That person or provider should help the company identify where their most valuable assets exist, develop a deep understanding of those assets and the people and systems surrounding them, and then implement policies, procedures and technologies to protect those assets.
A large company should structure its cyberrisk assessment effort as its own project, with a dedicated internal or external team. Just as in other risk domains, incorporate stakeholders from across the enterprise to provide input into the business value and technical parts of the puzzle. Leverage existing information that likely already exists in the form of business continuity plans or other internal operational and regulatory documentation. Harness the mountains of telemetry data that are already being gathered in silos and use a combination of analytics and subject-matter expertise to structure a repeatable process that can advise a cyber defense strategy from the top down and daily protection activities from the bottom up. Integration, analytics and automation are all critical elements to best juggle the many regulatory requirements and optimize how security resources are applied.
At a very basic level, IT asset management at most companies is not very mature. To even begin a risk assessment, the process requires an inventory of the company’s information assets and their business value. Even those companies that have a good handle on their IT assets usually have not quantified the impact of losing the confidentiality, availability and/or integrity of those systems.
At the technical level, although most large companies are using threat and vulnerability identification tools, they struggle to connect the dots between the data coming from those tools and the assets actually at risk from a business perspective. Knowing that a thousand vulnerabilities are impacting thousands of servers does not identify which are most important or which actions should be taken to minimize the company’s exposure. That list of vulnerabilities only becomes meaningful when they can be prioritized for patching based on the loss impact of the applications to which those servers are connected, and the probability of the vulnerability being exploited.
The vulnerability of the public-facing applications that contain customer personal data needs to take precedence over internal applications with less-sensitive information. This kind of analysis is required for each provision of the NYS DFS cybersecurity regulation, allowing companies to align their budgets and security actions with their actual risk.