Country / Language

NY Financial Institutions: The Countdown Clock to Build a Cyber Program Is Ticking


2/28/17

In December 2016, the New York State Department of Financial Services (DFS) published cybersecurity regulation designed to protect consumer data and financial systems from the ever-growing threat of cyber attacks. Considered the first in the nation, the proposed regulation takes effect March 1, 2017. It will require covered entities, which include banks, insurance companies, and other financial services institutions regulated by DFS, to establish and maintain a cybersecurity program and ensure compliance with rigorous cybersecurity requirements. In 2018, covered entities will be required to submit a certification as to their compliance with the new standards.
 
What are the immediate action items for financial institutions? In short, covered entities must start considering implementing cybersecurity controls now. Fortunately, the DFS is very clear regarding what needs to be in place and by when, eliminating ambiguity. The following is a summary of the amended ruling, including key controls and a timeline for action items. Note that all of the below is subject to a risk assessment to determine applicability; there are also limitations for smaller firms, such as those with fewer than 10 people or less than $5 million in revenues. 
 
6 Months from the Effective Date
  • Cybersecurity Program: Identify the internal and external cyber risks, implement required policies and procedures to detect, respond, and recover from cyber events.
  • Cybersecurity Policies: As part of the cybersecurity program, implement applicable policies based on the risk assessment (11 policies were mentioned, including those governing information security, information assets, network, data privacy, etc.)
  • CISO: Designate a CISO who will retain responsibility for the cyber program
  • Access Privileges: Limit access privileges to info systems that provide access to non-public information systems and periodically review access privileges
  • Cyber Personnel and Intelligence: Provide security personnel with cyber training and updates and verify that cyber personnel take steps to maintain their knowledge
  • Incidence Response Plan: Have a documented process for responding to a cyber event
  • Notify Superintendent: No later than 72 hours after the determination of a material security event, covered entities must notify the DFS.
 
One Year from Effective Date
  • Board Reporting: The CISO must present a written report to board or senior officers regarding the current state of the cyber program and material risks.
  • Pen Testing and Vulnerability Assessments: Annual pen tests with bi-annual vulnerability assessments
  • Periodic Risk Assessment: The entity must have a risk assessment based on written policies and procedures, including documenting the assessment criteria and describing how risks will be mitigated or accepted.
  • Multi-factor authentication: Must be implemented to protect nonpublic information
  • Training: Provide regular cybersecurity awareness training for employees
 
18 Months from Effective Date
  • Audit trails: Maintain audit trails on systems that are designed to reconstruct material financial transactions to support operations and detect and respond to cyber events (need to maintain such records for 5-years)
  • Application security: Include written procedures, guidelines, and standards designed to secure development practices for in-house developed applications
  • Limitations on data retention: Policies for the secure disposal of any non-public information
  • Training and monitoring: Implement risk-based policies and controls designed to monitor the activity of authorized users and detect unauthorized access
  • Encryption of non-public info: Encrypt data at rest AND in transit of non-public information or secure with alternative compensating controls
 
24 Months from Effective Date
  • Third party service provider security policy: Identify and risk-assess third-party services providers and have minimum cyber practices in place to evaluate them, including a periodic assessment, and obtaining proper representations
 
To view the complete DFS regulation, click here.
 
What Does CohnReznick Think?
The DFS ruling is a great step forward in helping secure New York State financial markets and institutions from prevailing cybersecurity threats. In fact, cybersecurity professionals have recommended these controls to organizations for decades. 
 
As with all security programs, increased protection and peace of mind comes with a price. For many companies, the price may very well be struggling to implement long-overdue controls into their business model. Even mid- to larger financial institutions may wait too long to start considering an implementation model – resulting in a half-baked security program that does not meet the State's objectives, nor provide the necessary protection against cyber attacks. Management of those organizations subject to the new ruling should study the proposed regulations now, assess their compliance, and monitor the DFS website for further updates.  Covered entities who start now will have a leg up on their completion, not only by avoiding a scramble in the 11th hour to implement controls, but also in terms of greater piece of mind and confidence for stakeholders, potentially creating a competitive business advantage.  
 
Contact
For more information, please contact Jim Ambrosini, Managing Director, CohnReznick Advisory, at 973-618-6251 or Jim.Ambrosini@cohnreznick.com.
 
To learn more about CohnReznick Advisory’s cybersecurity services, click here
 
Join us for our webinar on April 20th, where we will take a deep dive into how your organization can effectively establish a stringent cybersecurity program that meets the rigorous requirements of the State within the mandated timeframe. Register here.
 
This has been prepared for information purposes and general guidance only and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is made as to the accuracy or completeness of the information contained in this publication, and CohnReznick LLP, its members, employees and agents accept no liability, and disclaim all responsibility, for the consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.
Search Our People

Search Our People

Look ahead. Gain insight. Imagine more. Is your business ready to break through?

View our new TV commercial..

Industry Outlooks

Industry Outlooks

Gain insight into what is ahead for the Commercial Real Estate, Technology and Middle Market Private Equity industries.

READ MORE

Learn about our upcoming events.

READ MORE

Working With Us

Working With Us

What makes CohnReznick different from others in our profession? And what should our clients come to expect when working with us? The answer is The CohnReznick Advantage. Contact us to learn how we can out the CohnReznick Advantage to work for your business.


People

The value of an organization is determined by the skills and qualities of its leaders. With more than 280 partners serving clients nationwide, CohnReznick is renowned for the diverse experiences, knowledge and backgrounds of its leadership.

Learn More

Services

We align our services in three segments: Accounting and Assurance, Tax, and Advisory. This approach allows us to provide holistic solutions to complex business problems and to seize upon opportunities requiring an integrated approach.

Learn More

Industries

Accounting and tax issues different significantly based on an organization's industry. We provide clients with expertise in nearly two dozen industries – we know the opportunities, the obstacles, the competitive landscape.

Learn more

Insights

CohnReznick professionals are thought leaders in their industries. Clients benefit from relevant and timely economic, legislative and industry insights that can keep them a step ahead of competition.

Learn More

Global Reach

Our involvement in the Nexia International network of firms enables us assist our clients wherever they do business-providing local expertise and connections wherever they needed. Nexia is comprised of 20,000 professionals operating in over 100 countries.

Learn More