Just a month after Americans showed their patriotic pride on Labor Day with parades, backyard BBQs and a celebration of the US workforce, Americans find themselves increasingly “burnt” over growing cybersecurity threats. Just mention the word Equifax, and some 143 million Americans have reason to worry. It’s in this climate of rampant data breaches (and love of country) that the New York State Department of Financial Services (NYDFS) is taking the lead by addressing today’s growing cybersecurity threat head-on.
Earlier this year, the New York regulatory agency began outlining a process of compliance in which financial companies of a certain size that do business in the state, either directly or indirectly, will be subject to a host of new guidelines designed to help these businesses protect themselves – and their customers – from data hacks. And, last month concluded the 180-day transition period (August 28) where companies that fall under the NYDFS purview had to meet the initial compliance guidelines.
Digital Patriotism Means Doing Your Part
Financial services companies are a treasure trove for hackers because of the sensitive data they transact on a daily basis. Why leave your organization and your customers open to costly attacks? Why jeopardize the millions your organization has spent on its branding and reputation?
The NYDFS has outlined seven criteria for organizations to follow in order to meet the new standards. The criteria include:
- Design a cybersecurity program – NYDFS was careful not to be too dictatorial in its effort and wants to leave granular details of what a company thinks it will need up to them. That said, the cybersecurity program must protect the confidentiality, integrity, and availability of the company’s information systems. And all documentation of the program must be made available to the regulatory agency.
- Have an incident response plan – The adage that “no system is secure” means that even with the most robust plan in place, data breaches will occur. In those instances, under New York’s new regulations, companies are required to have an incident response. In short, what to do in a data emergency. The policy must be written out and based on another document, the Risk Assessment, which is an attempt by the organization to evaluate their relative to risk to specific data security threats.
- Designate a Chief Information Security Officer – As in any company, designated authority positions improve efficiency and accountability. The same logic applies to data security and management. If a company is unable (or unwilling) to hire in-house, third parties can apply.
- Hire Trained Personnel – A CISO won’t be effective if they don’t have a team working under them. As per NY requirements, continuously trained cybersecurity staff is a must. Here too, third-party partnerships are permitted.
- Restrict User Privileges – Subject to periodic review, it’s common sense that too much unregulated access even by the most trustworthy of individuals can become a company’s weakest link. These privileges must be reviewed on a periodic basis.
- Notify NYDFS – New York-operating, financial services businesses must report a data breach attempt (meaning successful or otherwise) to the NYDFS within 72 hours. This reporting is essential as many companies out of a fear of losing business, resist reporting that a data breach has occurred. Too often, this delay only exacerbates the problem.
- File Risk Assessment – Companies have until March 1, 2018, to file their Risk Assessment documents, which will help give the cybersecurity framework filed in August more teeth.
Can New York Become the Empire State of Cybersecurity?
To be sure, the Empire State’s aggressive stance has been met with some blowback. For starters, a cybersecurity agenda similar to New York’s already exists at the federal level. In 2014, the National Institute of Standards and Technology published The Cyber Security Framework. And, in January of this year released an update to that document.
But critically, unlike New York, NIST’s guidelines are only that, guidelines. In New York’s case, penalties will be enforced for noncompliance, though it’s unclear at this early stage how punitive those punishments will be. There’s also some ambiguity as to which companies fall under the long arm of NYDFS’s regulations.
For over 30 years, the Kelly Communications Systems team has empowered Fortune 500 companies and large enterprises with top-tier information technology and network security products, which protect business continuity and safeguard customer trust. We have security expert available to help your company: a) determine if you need to comply with New York law in the first place, and b) get you up to speed with the right tools and technology to best protect your company and your customers.
Whether it’s marching in a parade or it’s standing toe-to-toe with the world’s most nefarious cyber criminals by beefing up your company’s IT security, both display acts of powerful patriotism at work.
Want more information on New York’s financial services cybersecurity requirements and how Kelly Communications Systems is bringing “Zero Trust” to the industry?