02 August 2017
Blogs by author: Janet Himmelreich, Head of Security, Risk and Compliance Centre of Excellence, BT.
Will you really be able to use your current security policies and procedures to meet the requirements of the latest New York cybersecurity law for financial institutions?
In my last blog article, I wrote about New York State adoption of new cybersecurity regulations for financial institutions, which came into effect on 1 March.
It appears that this date, and the fact that there are only 26 days to comply, may have caught some organisations by surprise. Those affected by the law (23 NYCRR 500 “Cybersecurity Requirements for Financial Services Companies”) include state chartered banks, foreign banks licensed to operate in the state, and any insurer that does business in New York.
Keep in mind that this law is just the first of what we can expect to be a flood of similar regulations throughout the US and around the world – and not limited to financial services as it is in New York.
What happens if you don’t comply?
Fines and vigilant supervision are the possible results of failure to establish a cybersecurity program that’s sufficient to meet your business and risk profile. While one of the aspects of the law that is unclear is the penalties for failure to comply, no company is going to want to be on the front page news for failure to protect its assets – including customer private information – from a cybersecurity attack. BT is tracking to learn whether there is a non-compliance action or series of actions planned by the Department of Financial Services (DFS).
Am I ready?
All of this probably leads one to ask: what do you need to do, to meet the requirements? Is what you already have in place for security, going to be sufficient? And the answer: partially.
Any financial services company has likely already put in place a compliance program, based on the seven components of the US sentencing guidelines and/or some of the security and privacy policies and procedures required by federal laws impacting financial entities such as the Gramm Leach Bliley. (for a copy of this law see: https://www.ffiec.gov/exam/InfoBase/documents/02-con-g-l-b_summary_of_provisions-010416.pdf) and Dodd-Frank Acts (for a copy of this law see: https://www.sec.gov/about/laws/wallstreetreform-cpa.pdf)
The key will be ensuring that what you already have includes the 13 main points as I discussed in my last blog.
Addressing the gaps
If there are gaps or you find that what you have in your current policies and procedures then they will need to be synthesized into a specific cybersecurity program, based on your risk assessment and reflective of your company’s risk appetite.
Re-using what’s already in place is prudent. However, there is work to be done to assess the adequacy and the ‘fit’, and to ensure the cybersecurity program is appropriately documented.
We’re doing it ourselves
Additionally, service providers, such as us here at BT, have to be able to demonstrate compliance to the portion of the law which states that service providers must have appropriate cybersecurity programs in place by 28 February, 2019.
And remember while compliance is necessary to secure the enterprise, it’s not just a tick box exercise. See our new BT report with KPMG to see compliance as part of a wider journey.