Boards of directors need to maintain an appropriate level of cyber expertise, incidents must be reported within 72 hours after determination, and all ransom payments made must be reported within a day.
Those are just some of the changes made by The New York State Department of Financial Services to its Cybersecurity Requirements for Financial Services (23 NYCRR 500), effective November 1, 2023. This tightening of the reigns will hold businesses to higher security scrutiny and make technical and non-technical stakeholders alike more accountable.
While this may seem benign, the move is more than just “one more float” in an endless parade of advancing security requirements. These stricter, broader regulations are a powerful indicator that the tides are shifting heavily towards making everyone cyber-fluent. Cybersecurity is no longer a part of business – it is business.
5 Key Changes
As summarized by the New York Governor’s Office, the top five changes to the financial services cybersecurity requirements are as follows:
- Beefier governance | “Enhanced governance requirements;”
- Stronger prevention of unauthorized access | “Additional controls to prevent initial unauthorized access to information systems and to prevent or mitigate the spread of an attack;”
- Heavier risk assessment and incident response | “Requirements for more regular risk and vulnerability assessments, as well as more robust incident response, business continuity, and disaster recovery planning;”
- A 24-hour limit to report ransomware payments | “Updated notification requirements including a new requirement to report ransomware payments;”
- Updated direction on security awareness programs | “Updated direction for companies to invest in at least annual training and cybersecurity awareness programs that anticipate social engineering attacks and that are otherwise relevant to their business model and personnel.”
Now, let's review a few of the points that caught our attention. We’ll leave the rest up to you.
C-Suite Cybersecurity Participation: It’s Now the Law
They meant what they said when they “enhanced governance requirements.”
Now, boards of directors, or whatever senior committee is in charge, must personally oversee cybersecurity risk management. That’s a change. After countless industry blogs about “gaining buy-in" and numerous Top 10 lists on how to ply the C-Suite for more security spend, have the industry’s collective prayers finally been answered? In New York, perhaps. However, is it more than we wished for? While everyone has (we’d hope) a working knowledge of security basics, it is a lot to ask from professionals who have spent decades in other fields.
That’s why the original requirement states that a CISO must be appointed and that this CISO can be in-house or (interestingly) employed by an affiliate or a third party. Once a year, they are responsible for providing a written assessment of the organization’s cybersecurity program to the “senior governing body”, who will then “exercise oversight of the covered entity’s cybersecurity risk management.” That part is new.
That’s a lot to ask. But the changes provided some kind of fail-safe for that, stating that this assumedly non-technical governing body will “have sufficient understanding of cybersecurity-related matters, which may include the use of advisors” to carry out their duties. Those duties include:
- Having to maintain a working cybersecurity program
- Regularly reviewing management reports about cybersecurity matters (whether you want to or not)
- Making sure the cybersecurity program has enough resources to run (specifically “sufficient resources to implement and maintain an effective cybersecurity program”)
These wins are astronomical. All this talk about getting C-Suite support and now it’s here in writing. Making security a regular part of the executive discussion is no longer a long shot – it's the law.
Four Days is Too Much Time
You know times are tough when the US Security Exchange Commission (SEC) cybersecurity mandates aren’t enough. Yet these recent additions move the SEC’s requirements of a four-day reporting period up to 3 days.
The wording gets debatably tricky when they use the word “determine”, and that’s only because of a percentage not set in another piece of legislation – but attempted, nonetheless. The US Federal Trade Commission (FTC) recently amended the Safeguards Rule, set to go into effect in the spring of next year, which requires all non-banking financial institutions to report a data breach within 30 days of discovering the incident. In the hearing, the term “discover” was debated -
“SIFMA and BPI suggested that ‘determination’ takes place sometime after “discovery,” and that financial institutions should have 30 days to notify the Commission after making this determination rather than after discovery. SIFMA and BPI argued that ‘determination’ ‘connotes a higher standard of certainty than “discovery”’.”
“The Commission [disagreed] that 30 days after discovery of a notification event is insufficient time...The Commission expects that companies will be able to decide quickly whether a notification event has occurred by determining whether unencrypted customer information has been acquired... so there will not be a significant difference between ‘determination’ and ‘discovery’.”
In so many words, the term “determined” was favored by some in the Safeguards case as a way of giving agencies more time before having to report the incident. It was ultimately knocked down in favor of “discovery,” which connotes the day of. Whatever the case here, financial institutions in the state of New York will have 72 hours from the time of “determination” to report a cybersecurity incident.
Additionally, they are also required to provide the regulator with any requested information, as well as any new information as it comes out.
Stepping in the Right Direction
As states like New York take matters into their own hands, they represent the zeitgeist of their constituents in mandating even stricter cybersecurity policies to prevent financial risk. People want to know when something has happened to their information, and they want to know fast. They want increased transparency, and they want those “at the top” to care about the cyber-welfare of us all, even if by legal requirement.
Was the industry heading there anyway? Yes. Market forces have made dealing with cybersecurity as a business initiative all but inevitable. But this recent legislation made it even more apparent that customers want these protections – and corporate concerns – written in stone.
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire.