Implementing New York DFS Cybersecurity Regulations: Where Are You in the Process?

Here at NopSec, we’ve spoken with a number of financial organizations about where they are in the process of meeting the new New York Department of Financial Services (DFS) cybersecurity regulations that went into effect on March 1, 2017. We’ve learned that different companies are in different stages. Some began their preparations before the March 1st effective date, and others are still in the information gathering stage.

Regardless of which category you’re in, we recommend checking out our recent on-demand webinar, which provides a high-level overview of the regulations. If you’ve been following along with NopSec’s implementation recommendations, you may already know that we suggest prioritizing two things: your baseline risk assessment and the appointment of a CISO (chief information security officer).

Baseline Risk Assessment

Your baseline risk assessment and gap analysis will play a key role in determining how to approach the remaining areas of focus. One of the new DFS requirements is that you have a documented cybersecurity policy that you evaluate on a continual basis and that is approved by senior officers and your board of directors. A wide range of items may need your attention in that policy and the procedures that you develop from it. Some examples include:

• Information security
• Data governance and classification
• Asset inventory and device management
• Access controls and identity management
• Systems operations and availability concerns
• Systems and network
• Systems and networking monitoring
• Systems and application development and quality assurance
• Business continuity and disaster recovery planning and resources
• Physical security
• Environmental control
• Customer data privacy
• Vendor and third party service provider management
• Incident response

Your baseline risk assessment will help you determine how to prioritize each of these concerns.

Appointing Your CISO

Having someone with the right experience in the CISO role now will also help you develop an effective roadmap for implementing the new regulations on time. Some companies are able to promote a CISO internally, while others must consider external candidates in order to find someone with the right qualifications.

Contracting with a virtual CISO is also an option. We strongly recommend considering this if you are having difficulty finding qualified candidates. The most important thing is that whoever you have in the position, they bring the right experience. This person will be responsible for working with DFS auditors, reporting to your board of directors, and maintaining and evaluating the effectiveness of your entire cybersecurity program.

Unanswered Questions

If you’ve read the New York DFS cybersecurity regulations and continue to have unanswered questions, you’re not alone. By design, the regulations are not overly prescriptive; they defer a lot to your organization, recognizing that each will have unique risks and vulnerabilities. Some practical matters also have yet to be defined. For instance, DFS has not announced what the exact method will be for submitting your certification and reporting paperwork when it comes due. Logistical matters like these are expected to become clearer in the coming months. For other grey areas like how to apply the regulations to your unique environment, focus on your baseline risk assessment. You can also contact NopSec to assist with this process or if you are seeking a virtual CISO.

Conducting a risk assessment and hiring a CISO should be two of your priorities, but they’re only a start. For more information on implementing the new DFS regulations, check out our on-demand webinar now.