The large volume of financial, banking, and insurance firms doing business in New York makes the state’s financial services and insurance industry a rich environment for hackers. For this reason, it comes as no surprise to learn the New York Department of Financial Services (NYDFS) passed far-reaching and detailed regulations designed to protect New York’s financial services industry and consumers from the threat of cyber-attacks. Firms conducting business in New York’s financial sector that have yet to make security a priority are forced to take a harder look at their risks and implement security programs to manage it effectively or face substantial fines.
This state-level security regulation is a strong example of how the security landscape is tightening and impacting businesses of every size. It also serves as a reminder to all businesses of the reason for establishing security programs: not merely for “checking off” compliance requirements but rather for protecting a firm’s data and operational efficiency. While this regulation only affects financial services firm operating in New York, the state of New Jersey is considering implementing similar regulations.
We have highlighted five lessons every business should take away from the NYDFS ruling and provide rationale for why companies should pay attention to this ruling, regardless of the industry or states in which business is conducted.
1.Board members or C-suite must certify their firm’s security program.
The NYDFS requires a firm’s executive board or C-suite to review and certify the security program enacted by a firm on an annual basis. This requirement forces a firm’s leadership team to become more involved in the security of a business and aware of the processes and policies in place protecting the business. Additionally this step removes plausible deniability from the Board and C-Suite.
What all businesses should take away from this ruling is that security is the responsibility of more than the IT department. Security is most effective when upper management is involved in the process and is able to provide guidance and direction to ensure security measures are in place to guard every aspect of a business. Representatives from departments such as HR, sales, compliance, and IT should all be involved in the security conversation.
2. Qualified security experts must manage business security programs.
Entities are required under this rule to utilize “qualified cybersecurity personnel,” including appointing a CISO, who are sufficiently trained and experienced to manage the cybersecurity risks and oversee the performance of the core cybersecurity functions. The NYDFS rule was drafted intentionally to allow for third parties to stand in the shoes for firms to meet their requirements, in the event a firm does not have the resources to hire full-time employees dedicated solely to accomplishing these cybersecurity mandates.
IT expertise is only one aspect of an effective security program. Even if resources are limited, firms should not simply repurpose members of their IT staff as security personnel if they are not qualified and experienced in the field of security. Instead, partnering with experts who specialize in cybersecurity will help companies become and remain compliant quickly and take a great deal of the burden required to remain compliant.
3. Security programs should be designed with business continuity in mind.
Historically, most cyber-related rules are focused on securing network perimeters and ensuring the confidentiality of data. The NYDFS ruling focuses not just on limiting access, but also on ensuring the integrity and availability of the data as well. The specifics of the rule focus heavily on the sufficiency of processes in place to guard against the impact of potential threats and ensuring a firm is capable of recovering from incidents quickly.
Having contingency plans in place is critical for all businesses to stay operational in the midst of inevitable incidents. Protecting business operations is an aspect of security that is often overlooked by many firms. When establishing security programs, devise plans to keep data not only safe but also appropriately accessible. To ensure a contingency plan is effective, businesses practice their strategies to ensure it will hold up in the event of an actual incident. Do not wait for disaster to strike before testing the effectiveness of security policies and procedures.
4. Firms should be working on security, regardless of their size.
The NYDFS ruling recognizes that even small businesses have a duty to responsibly secure their data. For this reason, smaller businesses are only granted partial exemptions from this ruling. Qualified firms must, at a minimum, establish cybersecurity programs that address the following core security concerns:
- Security Policies
- Annual Risk Assessments
- User Access Protocols
- 3rd Party Agreements
- Data Retention Plan
There is no such thing as being too small or too early for business security. Regardless of a firm’s size, there are security measures every business can and should take to protect data and lay the foundations for a most robust security program in the future.
5. Businesses should not let themselves be caught off guard by new security regulations.
Instead of waiting for industries or states to pass security regulations and risk being shut out of business opportunities, being proactive in building a security program is a smart business tactic for all. The core security measures required for small businesses under the NYDFS ruling (policies, risk assessments, user access rules, 3rd party agreements, and data retention plans) are foundational aspects of any security program. These security measures should be addressed by businesses at the earliest stages of their business’ life cycles.
If a firm is well-established and lacks security plans, enacting effective security that a board or C-suite would be willing to sign on the line for takes time to enact effectively. Making security an important part of business operations will help keep operations running smoothly and prevent a new regulation from catching firms off guard and impacting their bottom line.