This week, senior executives from more than 3,000 banks, insurers and other financial services companies doing business in New York will have to personally certify that their computer networks are protected by a cybersecurity program appropriate for their organization’s risk profile.
The certification, imposed by the state’s banking regulator as part of its state cybersecurity rules, is the first in a slew of new requirements that will come into effect this year in New York — one of the leading centers of the global banking system.
The requirement for personal certification is being compared to the post-Enron Sarbanes-Oxley corporate governance reforms that upended boardrooms across the country. The so-called SOX regulations require one of the company’s top executives to sign off on the integrity and accuracy of its financial information.
In the same way, attorney Craig Newman told CyberScoop, the new regulations from New York’s Department of Financial Services (DFS) are designed to drive accountability and oversight of the banks’ cybersecurity posture up the corporate management structure to the very top — only the chairman of the board of directors or a senior officer like the CEO can certify that the company is in compliance.
“DFS has made cybersecurity a governance issue,” said Newman, a partner at the Manhattan law firm Patterson Belknap Webb & Tyler, who advises banks on compliance, “It’s a huge leap in cyber and data security regulation.”
“Compliance certification is a critical governance pillar for the cybersecurity program of all DFS regulated entities,” said Financial Services Superintendent Maria Vullo in a recent statement that reminded banks and other providers of their obligations. She added that certifications should be filed electronically through the agency’s online cybersecurity portal.
One of the most contentious issues as the rules were being debated last year was the requirement that the banks must report to DFS within 72 hours all cybersecurity “events” — which the regulator insisted could include even unsuccessful hacking attempts.
In a FAQ document designed to clear up several areas of the rule, DFS wrote “most unsuccessful attacks will not be reportable,” but added banks should report “those unsuccessful attacks that … are sufficiently serious to raise a concern.”
Newman said that was to aid in “information sharing about particular threats that might affect the industry more broadly.”
Steven Chabinsky, a partner at international law firm White & Case and former senior FBI official , told CyberScoop the agency has said “it doesn’t intend to penalize a company for exercising honest, good faith judgment in not reporting something” — which he called “encouraging.”
The problem facing banks, he explained is that “risk-based security is a balancing act and there often aren’t clearly right or wrong answers.”
The agency “appears willing to take into account a company’s good faith interpretation of the new regulation in areas where there’s some ambiguity or room for discretion,” he added, “If the regulation isn’t meant to be a game of ‘gotcha,’ companies will be far more likely to provide collaborative feedback to DFS.”
The certification due this week, which covers calendar year 2017, includes the half-dozen most straightforward elements of the new rules — those which came into force in August last year. Since then, financial institutions covered by the rules are required to have:
- Adopted a cybersecurity program appropriate to the bank’s risk profile.
- Adopted cybersecurity policies designed to protect the bank’s information systems and the customer data they hold.
- Appointed a chief information security officer “responsible for overseeing and implementing the [bank’s] cybersecurity program and enforcing its cybersecurity policy.”
- Engaged qualified cybersecurity personnel (either staff or contractors) to work with the CISO managing the company’s risk.
- Developed an incident response plan.
- Taken steps to control privileged access to its IT network.
By certifying, the rule states, the executive is attesting that he or she has “reviewed documents, reports, certifications and opinions of such officers, employees, representatives, outside vendors and other individuals or entities as necessary” to ascertain that the bank is in compliance.
Imposing that personal responsibility has “heightened organizations’ awareness of their data security environment,” said Newman, “Clients are taking this very seriously.”
They had better be. DFS has scheduled the more onerous requirements further out along the two year transition timetable and the toughest tests are yet to come.
The best is yet to come
Just two weeks away, March 1 is the second implementation deadline, when a further swath of provisions come into force, requiring regulated banks and other financial service providers to:
- Implement either continuous monitoring or periodic penetration testing and vulnerability assessments of its IT network.
- Conduct a full scale risk assessment of its information systems, to inform its cybersecurity program.
- Implement multi-factor authentication for remote access; and more widely as indicated by its risk assessment.
- Provide regular cybersecurity awareness training for staff.
- Begin annual reporting from the CISO to the board of directors.
The risk assessment is “one of the heavier lifts” in the rule, said Newman, in part because it will “need to drive change in many components of the cybersecurity policy and internal controls.”
The third deadline is in September, when the requirements come into force for encryption of nonpublic data, an audit trail for network events, screening of all IT applications, an insider threat-type program for authorized system users and a schedule for the retention and purging of customer information.
But the heaviest lift of all for most institutions, said Newman, is the requirement that comes into force last of all, in March 2019, for institutions to have completed what DFS calls a “thorough due diligence process” on all of its service providers.