New York increases cyber risk accountability for financial services boards and executives
Just three months after the SEC officially adopted new rules for enhanced cybersecurity disclosures, the New York State Department of Financial Services (NYSDFS) finalized new regulations that go significantly further for financial services organizations based in New York — defining specific requirements of a cybersecurity program, requiring annual cybersecurity audits, and, most notably, adding significant cybersecurity responsibilities for the board and C-suite.
The tighter NYSDFS rules signal a broader regulatory shift toward explicit accountability among boards and executives for overseeing a comprehensive cyber risk program.
Boards need to effectively demonstrate cyber literacy
The new SEC rules require the board to sign off on a company’s cyber risk program, making an unequivocal statement on the board’s accountability for these business-critical risks. But the NYSDFS rule goes further, requiring boards to disclose “sufficient understanding of cybersecurity-related matters.” This disclosure must describe the specific knowledge and expertise of the board members, or how they’re using third-party advisers to cover their gaps in expertise.
In other words, the NYSDFS wants boards to prove that their sign-off actually means something — that board members have the cyber-literacy to properly evaluate a program in the first place.
Defining CISO responsibilities: The buck stops here
While the implications of SEC rules will, in practice, fall on CISOs, the NYSDFS rules formally define the CISO’s role in cybersecurity program management and board reporting around cyber risk.
Put simply, the NYSDFS rules say the buck stops with the CISO when it comes to cybersecurity. The CISO bears full responsibility for overseeing cybersecurity policies, certifying compliance with various cybersecurity regulations and ensuring that policies are enforced.
The new rule also specifies that the CISO must regularly brief the board on cybersecurity issues and keep directors informed on all material cybersecurity incidents. Regular, structured board reporting on cybersecurity is a trend that’s organically accelerated over the past few years — but it will now be a matter of compliance, not simply proactive best practice.
Mandating proactive cybersecurity planning
The NYSDFS also mandates more than just the disclosure of a cybersecurity program’s elements: The new rules stipulate how those policies and protocols should be built to achieve specific outcomes around proactive cyber risk mitigation.
In effect, the NYSDFS wants to ensure that companies have the mechanics under the hood to execute on their commitment to proactive cyber risk mitigation.
Some of these requirements focus on technologies, such as multi-factor authentication for any remote or third-party access, vulnerability and patch management solutions, or validated security features of all corporate communication tools. Others specify components of attack preparedness planning.
For example, the NYSDFS rules around business continuity and disaster recovery planning stipulate that companies must proactively define business-critical assets and third parties. Businesses must also describe how their backup or resiliency protocols were created based on objective assessments of how quickly they need to recover from an attack to avoid service impacts or financial losses.
Stricter attack reporting windows
Despite the scale of the ransomware problem, the new SEC rules don’t touch ransomware payments. The NYSDFS requires any ransomware payment be reported within a 24-hour period.
Moreover, companies need to defend their decision to pay: This disclosure must describe efforts to pursue alternatives, as well as how the company ensured the ransomware payment was made in compliance with relevant sanctions.
The NYSDFS also tightened the time window for reporting all other types of cyberattacks to a strict 72 hours, down from the SEC’s allowance of four business days. Companies must also be ready to provide any and all information requested by the NYSDFS about a hack.
In effect, these reporting requirements demand a much more rigorous and proactive approach to creating and testing response plans for various types of cyberattacks. To be compliance-ready when the unexpected attack occurs, companies need to have clear protocols, assigned responsibilities, and relevant tools and tech in place ahead of time — and have tested them through simulation exercises to confirm they perform as needed.
Rapid rollout — with copycat legislation likely to follow
The NYSDFS is fast-tracking implementation of the new rules. All impacted companies must fully comply within 180 days of the original announcement, but they’ll have just 30 days to begin complying with the tighter requirements around reporting cyberattacks.
Though the NYSDFS rules technically only apply to New York-based financial services companies making more than $20 million annually, that means the majority of the nation’s largest financial services companies will be affected. Moreover, previous history shows that both other states and federal-level regulators often follow the successful examples provided by NYSDFS — signaling the likely direction of future cybersecurity regulations from other governing bodies.
Are you prepared?
While all of the NYSDFS rules fall under the umbrella of cybersecurity, their effective range spans from IT and technology spend, to changing the way cybersecurity incidents are documented and reported, and potentially amending board and C-suite rosters to bring in deeper cybersecurity expertise.
Learn how Diligent can help your organization prepare for compliance with strict new cybersecurity disclosure requirements.