Since March 1, 2017, banks, insurers and other financial services companies regulated by the New York Department of Financial Services (NYDFS) must maintain a cybersecurity program to protect consumers and ensure the safety and soundness of New York state’s financial services industry.
New York is the first U.S. state to adopt and implement a comprehensive cybersecurity regulation. Many organizations are struggling with compliance challenges related to this regulation, including risk assessment, compensating controls, materiality, compliance deadlines and the certification process.
The first major deadline under the new rule was August 28, 2017, by which time firms were to have developed and implemented a risk-based cybersecurity program, cybersecurity policies and an incident-response plan. Risk assessments are due by March 1, 2018, but the first certification deadline is February 15, 2018.
Based on our discussions with executives in the industry and following our risk assessment workshops, it is clear that many firms are behind in their compliance efforts. Indeed, despite the passage of the first deadline, some firms are revisiting their risk assessments to ensure they cover all entities in the organization that pose a cybersecurity risk to the business.
The perception is that many risk assessments are not as inclusive or deep enough to meet the regulator’s expectations. Protiviti has developed a high-level methodology to help guide firms through the compliance process. It is outlined in our recently published white paper, Decoding NYDFS Part 500, available for free download on our website.
In our experience, we see companies falling short in a few common ways. One is a tendency to implement a required control for security or hygiene reasons — such as multifactor authentication (MFA) — without conducting and documenting a proper risk assessment or, perhaps, repurposing a previously conducted risk assessment.
The NYDFS has made it clear that it is looking for more than check-the-box compliance. Regulation is forcing deeper thought, and that’s a good thing. In this case, the journey — a well-documented, unique and specific enterprisewide risk assessment— is the destination from a regulatory perspective.
Organizations that have skipped this vital step are going to have to work backward to build these linkages and reconstruct the logic that led them to implement controls. In some cases, they may find it necessary to modify controls or to add controls based on a more thorough risk-driven analysis.
Using a risk assessment to connect a control implementation to a risk can be very helpful internally in building a case for the required investment. It can mean the difference between perceiving a request as a “need to have” versus “nice to have.” We think it will also prove critical to providing senior management with the assurance they’ll need when it comes to signing off on compliance efforts by February 2018, as required by the NYDFS.
Risk assessments are hard to do. When it comes to cybersecurity, most companies rely on instinct, as opposed to perspiration. That’s like filling sandbags because you know the water is going to rise, but not taking the time to figure out where to put them.
Now that we are six months into the implementation cycle, we can see the light bulb is beginning to flicker on, with more companies requesting enterprisewide risk assessments. These assessments take time, which means time is of the essence to document and build a case for executive certification by February 2018.
The individual or group of individuals responsible for attesting to the company’s compliance with cybersecurity regulations must be able to review sufficient written evidence and documentation to allow proper certification of compliance. A successful risk assessment requires a certain level of granularity that provides good cybersecurity coverage but does not overwhelm the security and risk teams by identifying too many different risks.
A thoughtful approach to the risk assessment ensures a comprehensive view of risks but identifies actions an organization can complete in a reasonably short time frame. Ultimately, the risk assessment should be used as a foundation to ensure that actions taken are consistent with identified risks.
If firms haven’t already done so, they need to start work on their risk assessment immediately to determine their processes and how expansive and holistic their cybersecurity program needs to be.