What You Need to Know: Cybersecurity Requirements for Financial Services Companies
New York cyber security rules go into effect March 1
In September of 2016, Governor Andrew M. Cuomo announced that a new first-in-the-nation regulation had been proposed to protect New York State from the ever-growing threat of cyber-attacks. The regulation requires banks, insurance companies, and other financial services institutions regulated by the State Department of Financial Services to establish and maintain a cybersecurity program designed to protect consumers and ensure the safety and soundness of New York State’s financial services industry.
It requires regulated financial institutions to:
- Establish a cybersecurity program;
- Adopt a written cybersecurity policy;
- Designate a Chief Information Security Officer responsible for implementing, overseeing and enforcing its new program and policy;
- Have policies and procedures designed to ensure the security of information systems and nonpublic information accessible to, or held by, third-parties, along with a variety of other requirements to protect the confidentiality, integrity and availability of information systems.
“New York, the financial capital of the world, is leading the nation in taking decisive action to protect consumers and our financial system from serious economic harm that is often perpetrated by state-sponsored organizations, global terrorist networks, and other criminal enterprises,” said Governor Cuomo. “This regulation helps guarantee the financial services industry upholds its obligation to protect consumers and ensure that its systems are sufficiently constructed to prevent cyber-attacks to the fullest extent possible.”
More details on the regulation can be found here. The proposed regulation by the Department of Financial Services includes certain regulatory minimum standards while maintaining flexibility so that the final rule does not limit industry innovation and instead encourages firms to keep pace with technological advances.
New York State Department of Financial Services Superintendent Maria T. Vullo said, “Consumers must be confident that their sensitive nonpublic information is being protected and handled appropriately by the financial institutions that they are doing business with. DFS designed this groundbreaking proposed regulation on current principles and has built in the flexibility necessary to ensure that institutions can efficiently adapt to continued innovations and work to reduce vulnerabilities in their existing cybersecurity programs. Regulated entities will be held accountable and must annually certify compliance with this regulation by assessing their specific risk profiles and designing programs that vigorously address those risks.”
Prior to proposing this new regulation, the Department of Financial Services surveyed nearly 200 regulated banking institutions and insurance companies to obtain insight into the industry’s efforts to prevent cybercrime. Additionally, it met with a cross-section of those surveyed, as well as cybersecurity experts, to discuss emerging trends and risks, as well as due diligence processes, policies and procedures governing relationships with third party vendors. The findings from these surveys led to three reports which helped to inform the rulemaking process.
IT-DR & Cybersecurity Plans
IT-DR & Cybersecurity plans are a critical component that intersect with business continuity recovery, because there is an inherent relationship between IT systems and the business functions they support. When an organization is implementing an IT-Disaster Recovery strategy, that strategy and the people and processes needed for recovery—must be documented in an IT-DR plan and aligned to the Business Impact Analysis (BIA) priorities and dependencies.
- Assure prompt and appropriate response to an IT outage;
- Provide an organized and consolidated approach to the management of IT recovery activities;
- Recover essential IT operations in a timely manner;
- Restore operations once an alternative data center is
The resulting plan provides the capability to help ensure essential technology services are promptly restored following an unplanned interruption. A well-designed and tested plan:
- Lowers impact to critical business functions and customers;
- Reduces time required to restore essential technology services;
- Minimizes errors by having trained and knowledgeable personnel; and
- Mitigates exposures by implementing proven data backup and protection strategies.
At Firestorm, we employ a Predict.Plan.Perform. methodology to analyze and enhance the IT-DR and Cybersecurity planning process. The process should be evaluated for the five stages of a crisis with distinct decisions to be made, actions taken, and communications in each stage:
- Preaction – Preparedness responsibilities include ongoing responsibilities necessary to maintain normal day to day business operations. Annual Preaction activities are completed in an effort to mitigate the impacts of negative events to include regularly scheduled document review and activities to address business requirements, recovery strategies, and personnel training issues.
- Onset – At the start of this phase, a preliminary impact/damage assessment will be conducted to determine damage to the impacted data center infrastructure.
- Impact Assessment – Some IT impact/damage assessment activities are performed concurrently with many of the activities in the Onset Phase. DRT members will assist the Crisis Management team (CMT) to investigate and assess the IT event, as well as confer with other business units to perform an initial IT impact/damage assessment and client impact.
In a situation where the impacted data center has sustained physical damage, a more in-depth IT impact/damage assessment is performed to determine the full extent of the damage and impacts. At this time, the insurance claim process and the salvage effort will begin led by the DRT.
- Response & Recovery – Upon receipt of authorization from the CMT that an IT disaster has been officially declared, computer processing will be resumed at the IT Recovery Site.
- Post-Consequence Management – In this phase, the handling of the crisis will be analyzed and lessons learned documented. Changes/updates to company procedures and documents will reflect lessons learned.
Because of the irreplaceable value of company data, successful recovery is absolutely dependent upon the reliability of a robust data backup and protection program. A formal analysis of this program is needed to document the effectiveness of current data backup practices and procedures and evaluate the company’s ability to recover essential data and information following a technology disaster.
This analysis/evaluation should:
- Review the data backup and availability strategy;
- Review selected data synchronization;
- Review work-in-process and pending transactions;
- Evaluate findings against the company’s defined business Recovery Point Objectives; and
- Document findings and present recommendations to correct identified exposures or weaknesses.
The resulting IT-DR plan will document the teams, critical resources, and actionable steps that must be followed to restore the IT infrastructure.
The IT-DR plan should address:
- Recovery prioritization structure for critical IT components, applications and data;
- Identification of key utilities, software, hardware, network and licensing keys needed for recovery;
- Identification of IT recovery personnel;
- Response and recovery actions by functional teams;
- Actionable steps required to complete recovery;
- Identification and location of critical vital records needed for recovery; and
- Identification of critical suppliers.
- Conducting an IT-related impact/damage assessment and recovery time estimate;
- Coordinating the establishment and transition of IT processing;
- Determining if external resources are needed;
- Ensuring the recovery of essential IT operations;
- Adhering to IT procedures throughout the recovery effort;
- Coordinating the development and implementation of restoration procedures;
- Assisting affected departments to recover data, access LAN, and voice communications; and
- Resolving technical and logistical problems encountered during recovery.
Once the plan is developed, training and testing will be essential for the plan’s success. The training, in addition to making all company team members aware of their duties under the plan, should validate the conceptual completeness of the plan, resulting in an efficient and effective response and recovery process. Testing will demonstrate areas where the plan requires modification. Proper planning can keep a disruption from becoming a disaster.
Firestorm can assist in any aspect of your program – from design to implementation and testing. Contact Jim Satterfield to schedule a no-fee assessment and to discuss next steps in compliance strategies.