Proposed cyber security requirements for New York State seem to be more of the same
This month, New York State Governor Andrew Cuomo announced proposed regulation that requires banks, insurance companies, and other financial services institutions regulated by the NY State Department of Financial Services to comply with a set of requirements designed to strengthen the security posture of those organizations and their customers’ information.
The requirements include requiring annual penetration testing and risk assessments, establishing programs and policies to identify cyber risks and detect cyber events, appointing a Chief Information Security Officer to oversee cyber security programs, conducting risk assessments of third party vendors who access sensitive information and more.
While it doesn’t hurt to require companies to implement and adhere to a set of cyber security requirements, in this particular case, it is yet to be determined how much additional value the proposed regulation provides. The proposal does include a few standout requirements that differ from the many other cyber security frameworks and regulations already out there. For example, the regulation includes requiring that written cyber security policies are established and reviewed by companies’ boards of directors at least once a year.
As revealed in a recent survey conducted by Osterman Research, the proportion of board members who consider cyber risk to be a “high” priority issue has grown from seven percent in 2014 to 30 percent today and an expected 44 percent by 2018. Boards want to get involved and understand how exactly the companies they govern are being protected.
Requiring annual reviews of cyber security policies ensures that board members get a chance to understand what processes are in place and how effective their past decisions have been. Similarly, and probably one of the most impactful proposals, is the requirement for annual certification by the chairman of the board or another senior officer. This Sarbanes-Oxley-like provision, that can hold the signatory personally liable, will ensure that the board will be paying attention.
The potential downside of this new proposal is that it creates yet another set of reports and frameworks in an industry that already has a plethora of them. Most financial companies already focus their efforts on adhering to the Payment Card Industry Data Security Standard (PCI DSS), the Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool, the National Institute of Standards and Technology (NIST) framework and others.
The legwork required to adhere to the already existing standards, guidelines and frameworks takes on a life of its own with armies of people crunching data and putting together spreadsheets for reporting. They need to collect and present the information multiple times since each regulation comes in different variations. Companies have become so compliance-centric that they are more focused on “checking the compliance box” than their actual primary responsibility – protecting the company’s valuable assets.
Most of the newly proposed NYS requirements do not vastly differ from those already in the industry. Regular risk assessments and penetration testing are already required and/or recommended. Most large financial companies already have a CISO in place so that requirement does not add much for most, though it may be helpful for smaller institutions in the state. For most financial institutions in the state, there is nothing too novel about the regulations, with most companies already aware, required and/or working towards the listed requirements.
What the industry really needs is a consolidated set of requirements that drives a risk based approach that focuses on the effectiveness of security controls vs. compliance checkboxes that the controls are in place. If you look back at some of the high profile breaches during the past few years, you will see the victims were in compliance when they were breached. That’s because the already existing requirements are so focused on making sure, for example, companies are using encryption, instead of actual metrics that show the percentage of information that’s actually being encrypted, or the requirement to use antimalware protection without really validating the health of those agents, or that their software and signatures are up to date.
A regulatory framework that measures effectiveness would provide greater insight and transparency, and drive greater levels of real protection. That would be a true game changer.