Cyber-Security Re-Defines Business Structure
bThe New York State Department of Financial Services’ new cyber-security regulations CC 23 NYCRR 500 takes effect on February 15, and financial institutions will need to change how they approach cyber-security.
After decades of outsourcing IT processes and staff, financial institutions will need to bring their information security responsibility back in-house.
Firms that fall under the regulation’s mandate will need to put a cyber-security program in place and name a chief information security officer who will take the ultimate responsibility of meeting the regulation’s requirements.
“A lot of firms, however, are looking at the exceptions rather than what the best practices are and what the guidelines in the requirements would be,” said Josh Barons, director of information security at Abacus Group.
Financial firms that employ fewer than 10 people (including contractors), has less than $5,000,000 in annual revenue for the past three years, or have year-end assets of less than $10 million are exempt from a majority of NYSDFS’ cyber-security regulation.
Whether firms must comply with the full regulation or a portion of it, it is only a matter of time before financial regulators in other states write similar rules, said Barons.
“We saw the same sort of thing when Massachusetts worked on its privacy requirements and breach-notification laws,” he added. “Once one state does it, soon there is a flood of other states follow.”
The typical model of placing the responsibility for information security into the IT organization, will not hold up, according to Barons.
“I think it is going to be a lot harder to say that someone who already wears seven hats now has this responsibility too,” he said.
Barons views the responsibility for information security being a c-level position with access to the board, knowledge of the company products, and participates in day-to-day operations.
“It should not be stuck in a closet of a back room,” he said.
Overall, Barons grades the financial services vertical a ‘B’ in its overall preparedness for the new regulation but uses a curve, he admitted.
“You have banks that have a lot of funding, mature cyber-security programs, and full backing from the top down,” said Barons. “Then you have smaller firms where they do not have any of that.”
However, there are resources, such as the US Department of Commerce’s National Institute of Standards and Technology that can help firms implement the necessary best practices with its 800 series publications.
“Most of the regulatory requirements that we have seen over the past several years are based on NIST’s best practices, especially when it comes to Federal and other governmental regulations,” he said.
Dearth of board-level experience hampers cybersecurity planning and rollout.
One legislator wants markets better informed in case of cyberattack.
No single firm or regulator can tackle the borderless nature of cyber-crime.
New regulations with little harmonization make life difficult for firms.
Business-as-usual will not keep firms on the right side of compliance.