Last month, in New York City, Protiviti hosted a gathering of scores of financial service industry representatives to discuss the recently enacted New York Department of Financial Services’ (DFS) Part 500, Cybersecurity Requirements For Financial Services Companies. Similar in design to the previously enacted DFS Part 504, Transaction Monitoring and Filtering Program Requirements and Certifications, Part 500 requires DFS-regulated covered entities (including banking organizations, insurance companies, money services businesses and others) to develop and maintain effective cybersecurity programs and to certify annually to the DFS that they are meeting the requirements of the regulation.
The attendees – chief information security officers, chief compliance officers, chief counsels, internal auditors and other senior executives of banks and insurance companies – engaged in a lively discussion with a panel of cyber experts about the challenges of managing cyber risk and were especially honored to hear directly from DFS Superintendent of Banking Maria Vullo, who shared the reasons her agency felt it necessary to adopt this regulation, as well as her compliance expectations.
Superintendent Vullo said that “as cyber-attacks are increasing across the globe, laws and regulations are not just appropriate, they are necessary. Government must be in the game, looking ahead to help prevent misconduct.” The need for a proactive partnership between government and industry to do more to prevent and learn from cyber attacks was a strong theme throughout the Superintendent’s comments. While she recognized that many covered entities have multiple regulators all of whom may have different expectations regarding cyber risk management, the Superintendent stated her firmly-held belief that to do nothing, in the hopes of achieving a uniform regulatory approach in the U.S., was simply not an option for the DFS, and she encouraged other regulators to adopt the DFS model. From a governance perspective, the Superintendent was very clear that industry responsibility for cyber risk management rests squarely at the feet of boards of directors and senior management.
In designing Part 500, the Superintendent said that DFS’s goal was to develop “a roadmap – minimum safeguards for cybersecurity – which leave room for innovation.” The agency’s focus will be on the outcome, recognizing that different risk profiles will require different responses. Superintendent Vullo signaled a willingness to work with the industry and share leading practices toward the common goal of strengthening the industry’s cyber resilience and said that “where we see clear cooperation and good faith effort, our response will be tempered even where there is need for improvement.”
While the DFS is still developing its cyber framework and examination program, comments from the Superintendent and from the expert panel suggested that, in addition to support from the top of the organization, several other key takeaways from the session should be noted:
- Until there is a uniform regulatory standard, organizations – especially large, complex multinational organizations – will still need to address varying expectations and different areas of focus as they develop or enhance their cyber programs.
- A rigorous, customized risk assessment should be the cornerstone of the cybersecurity program, and it will be important for covered institutions to step back and revisit their risk assessment process and output to ensure that it is providing the appropriate foundation for building the program.
- While many organizations would immediately turn to IT to build the cyber program, it is very important to involve the business – e.g., materiality should be designed at the business level since IT may see the risk differently. To be effective, cyber professionals must understand the business.
- Third-party risk management issues, which are a very complex challenge for many organizations, are critically important to the cyber compliance effort.
- While some of the control requirements (multifactor authentication and encryption or reasonable substitutes for these) are not required immediately, the time to start thinking about them is now since implementation will take time.
- Communication across the organization will be critical to the success of the program.
One of our expert panelists likely summed up the feeling in the room when he reflected that in the beginning of his career IT people sat in a backroom and no one much cared what they did so long as things kept working, but as technology gradually became a business enabler, the attendant risks to the business could not be ignored. Cyber is one of those risks on which every institution and every regulator is now focused. No more quiet backrooms for the IT, business and risk professionals charged with protecting their organizations against cyber attacks; they are now front and center in the battle to protect their organizations, their customers, and the market against the growing cyber threats.