NYDFS Cybersecurity Regulation Isn’t Just a Phase
Published on July 16, 2018
The New York Department of Financial Services (NYDFS) Cybersecurity Regulation was a first-in-the-nation cybersecurity regulation when it became effective on January 1, 2017. It was big news then, and it’s big news now.
As part of the regulation’s four-phase approach, Phase 3, developing a cybersecurity program, is enforceable on September 3, 2018. Phase 4, which calls for securing third parties, has an enforcement date of March 1, 2019.
For financial services firms required to comply with the NYDFS Cybersecurity Regulation, the mandate will not go away once processes are updated. No sooner than you adapt to a new compliance process the next phase of the regulation is on the horizon. What’s more, complying with Phase 3 and 4 will be more challenging than Phase 1 and 2.
In this post, we’ll cover Phase 3 and 4 requirements, along with ideas on managing these new phases and ensuring your program is built for the long haul.
Phase 3: Developing a cybersecurity program
Cybersecurity isn’t just about scanning and detecting or even managing incidents. Phase 3 takes you into a foundational element of cybersecurity–establishing a cybersecurity program.
Program elements include implementing security controls and developing security practices (policies, procedures, guidance) for internal applications and testing of external applications. Phase 3 also stipulates data retention policies and audit trail records for cybersecurity events.
While Phase 1 covered the basics and Phase 2 focused on reporting procedures, Phase 3 requirements are more challenging in terms of legwork and documentation. It states policies have to be written, approved and disseminated. Testing of those policies may require new processes, and the required audit trail will require meticulous record-keeping.
Phase 4: Securing third parties
Chances are, your firm outsources certain functions or relies on outside entities. Phase 4 focuses on the security of these third-party service providers.
Phase 4 requires you to conduct periodic assessments of third-parties controls, policies and procedures, as well as perform due diligence on their cybersecurity practices. Your firm and the third party must meet these requirements even to conduct business.
In many ways, Phase 4 is the most important phase of the regulation. The financial services industry is one of the most attacked industries. Managing third-party risk is a top concern among risk managers across industries. Many of the high-profile data breaches in recent memory like Facebook are traced to the use of a third-party. Third parties are an extension of your firm. In matters of cybersecurity, what happens to them happens to you.
Upgrade your cybersecurity solution
How does your firm currently comply with NYDFS Cybersecurity Regulation? In Phase 1 and 2, you may have been able to get by using manual processes like spreadsheets and word processing. Phase 3 and 4 will be a tough slog using such everyday office tools.
Expanding compliance requirements doesn’t have to mean adding people and resources. A technology platform that integrates with your processes can adapt and scale to meet your compliance and risk management needs. Platform users can manage the spectrum of requirements mandated by Phases 3 and 4 that include policy/procedure awareness, IT risk, assessments, reporting, risk management and third-party risk.
NYDFS Cybersecurity Regulation is designed to improve the cybersecurity of New York financial services firms to protect data in financial systems. That’s the goal, but the reality is cybersecurity incidents can occur outside the regulatory scope.
Here, again, a technology platform can improve cyber defenses and adapt as needed. It centralizes cybersecurity regulatory information in one interconnected database that’s easy to access and serves as a single source of truth. Information is linked to controls, policies, procedures, assets, risks, even third parties, and stored in a central location. A change like a new requirement alerts stakeholders to update impacted controls, policies and more.
NYDFS Cybersecurity Regulation was the first of its kind, but it certainly won’t be the last. Cybersecurity and data privacy regulation will sweep through industries in the near term. Phased approaches give businesses more time to adapt their processes. To compliance departments, phases can feel like a never-ending change cycle. The right technology platform sets you up to manage compliance and scale with regulatory change while delivering efficiencies.